PAM: How to test non-local group membership (LDAP, SQL, ...)?

[Brian Schau]

Hello,


I am about to extend an application to support PAM.  I have worked with
PAM before as a System administrator, a module programmer and as an
application programmer.

However, the application I am going to extend is using a somewhat
advanced authentication scheme which I am not sure how to support in
PAM.  I would very much like to be corrected.

Here's the deal.   A user is authenticated using a username and a
password when the user logs on.   When authenticated the user can use
most of the functions presented in the program.  Certain functions re-
quires say administrator rights.  Other functions requires Advanced
Operator rights.

The above is a describtion of a trivial group design - a user can belong
to one or more groups.

The above scheme works well using the /etc/passwd and /etc/group files -
"manual" parsing is done.

But how do I expand this scheme to use say LDAP or a SQL database?

The code is written mostly in Java.  I've create a jni interface which,
when given a username and password returns true for authenticated and
false for rejected.
I am unsure how to test for the group membership - I guess it is fairly
trivial if the group info is stored locally (I can probably use the pam_
group module for that), but how should I do it if the group info is
stored in a LDAP or SQL database?

I really feel that I am missing something pretty obvious here!
(Perhaps I've been looking to deep into c, java and jni to focus on the
capabilities of PAM ... :-)


Kind regards,
Brian