The PAC-LDAP authorization module configuration and policy files must be manually edited with a text editor. A directive name is separated from its first argument by a colon (:). Multiple arguments are delimited by commas (,). Remarks are included in the configuration and policy file to assist in editing it. Key policy directives are shown below.
The paccp.conf file is read by the shared libraries during the initialization of Caching Proxy and contains the definitions ([PAC_MAN_SERVER] stanza) of each PAC daemon that will start. Each PAC daemon must have its own [PAC_MAN_SERVER] stanza.
[PAC_MAN_SERVER] hostname: # name of PAC daemon port: # port pacd is listening on [PACWTE_PLUGIN] hostname_check:[true|false] # enables DNS lookup. Must have # DNS lookup turned on for ibmproxy to work.
The pac.conf file specifies the LDAP server with which the PAC daemon attempts to connect.
[PAC_MAN_SERVER]
hostname: # name of PAC daemon
port: # port pacd is listening on
conn_type:ssl # comment out if you do not use SSL
authentication_sequence: [primary|secondary|none]
authorization_sequence: [primary|secondary|none]
[LDAP_SERVER]
hostname: # LDAP Server hostname
port:389 # Port LDAP is listening on
ssl_port:636 # SSL port used by the LDAP server
admin_dn: # User with permission to access the LDAP server
# specify admin_dn:NULL to enable anonymous binding
search_base: # Portion of LDAP tree to search for policy info
# If not required, specify search_base:NULL
search_key: # ID field to search
[CACHE]
cred_cache_enabled [TRUE|FALSE] # turn credentials cache on
cred_cache_min_size:100 # minimum number of credentials to cache in pacd
cred_cache_max_size:64000 # maximum number of credentials to cache in pacd
cred_cache_expiration:86400 # when a credential expires
policy_cache_enabled:[TRUE|FALSE] # turns policy cache on/off
policy_cache_min_size:100 # min. number of policy related items to cache
policy_cache_max_size:64000 # max. number of policy related items to cache
policy_cache_expiration:86400 # when a policy related item expires
Every LDAP policy uses the following template within the configuration and policy file. Each policy must begin with the uppercase keyword POLICY in brackets.
[POLICY] default_policy:[grant|deny] # describes the default policy for users # that are not described in the POLICY section pac_client_hotname: # the instances of Caching Proxy that are allowed # to use a policy list id: # the id for the LDAP entry or ip/hostname # (wildcard supported, such as *.ibm.com) grant:[true|false] # true means to grant access, false means # to deny access type:[0|1|2|3|4] # 0 LDAP entry that is a group, # 1 LDAP entry that is not a group, # 2 IP address # 3 hostname # 4 URL propagate:[true|false] # true means that the access rights (grant # or deny) will be propagated to all # descendants or members stop_entry:[entry|NULL] # Propagation of the access right stops # at this entry. If the id is a group, # stop_entry must be set to NULL. # stop_entry may be applied to an IP # address or hostname. Each stop_entry # must be on its own line exception_entry:[entry|NULL] # Assignment of the access right skips # these entries, but continues through their # subtrees. This may be a list of entries. # exception_entry may be applied to a group, # IP address, or hostname. Each # exception_entry must be on its own line. Exception_type: Exception:
The wildcard (*) is supported only for the last position of an IP address or the first position of a host name in the id and stop_entry directives. Wildcards are not supported in the exception_entry. Wildcards are not supported for any LDAP entries in any fields.
Multiple policies are supported, and the value false always takes priority if policies conflict. In other words, a single denial in any policy blocks access. The order in which the policies are listed in the configuration and policy file is irrelevant and does not establish a priority.
For a set of policy examples, refer to the pacpolicy.conf file in the configuration files directory.