Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

getshell

Syntax
string getshell ( string user )
Description

getshell returns the specified user’s login program from the policy server (or from the client host if getpasswordfromrun is set to yes in the policy server's pm.settings file).

Example
#check the user's shell on the policy server is in /opt/quest/bin 
shell=getshell(user); 
if (dirname(shell) != "/opt/quest/bin") { 
   reject "You are only permitted to run a login shell from /opt/quest/bin"; 
}

Authentication Services functions

These are the built-in Authentication Services functions available to use within the pmpolicy file.

Table 47: Authentication Services functions
Name Description
vas_auth_user_password Authenticate a user to Active Directory using Authentication Services.
vas_host_in_ADgrouplist Check whether selected host name and domain is a member of any group in the selected list.
vas_host_is_member Check whether selected host name and selected domain is a member of the selected group.
vas_user_get_groups Check membership of the group lists.
vas_user_in_ADgrouplist Return membership of the Active Directory group lists.

vas_user_is_member

Check whether a selected user name and selected domain is a member of the selected group.

vas_auth_user_password

Syntax
int vas_auth_user_password ( string user, string pmpt, [, int tries] )
Description

The vas_auth_user_password function attempts to authenticate a user to Active Directory using the Authentication Services API. This feature is platform dependent. The feature_enabled() function indicates whether this feature is supported on a particular policy server.

Returns 1 if the user successfully authenticates; otherwise it returns 0 (zero).

Example
if (feature_enabled(FEATURE_VAS) ) { 
   if (!vas_auth_user_password(user, "AD Password:", 3)) { 
      reject “Failed to authenticate to AD”; 
   } 
}

vas_host_in_ADgrouplist

Syntax
int vas_host_in_ADgrouplist ( string hostname, string domain, list ADgrouplist [, boolean verbose] )
Description

The vas_host_in_ADgrouplist function checks if the selected host name and domain is a member of any group in the selected list. It calls vas_host_is_member for each item in the list.

Returns: -1 if host is not found in the list, otherwise it returns the index of the matched list entry.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating