PAM: How to test non-local group membership (LDAP, SQL, ...)?
Jose Plans
jplans at redhat.com
Mon Jun 11 12:58:30 UTC 2007
On Mon, 2007-06-11 at 09:59 +0200, Brian Schau wrote:
> > You should use the (g)libc functions to determine group membership. You don't
> > have to know if the user database is in sql, ldap, db, etc.
>
> Ok, so if I understand you correctly I can use PAM to authenticate the
> user (f.ex. in LDAP) and then use the libc functions to verify the group
> membership as if that information was present locally on the server?
That's it, nss is your friend. Check for getgrouplist(3), otherwise do
some nasty checks on getgrent + strcmp on gr_mem[] (that will just kill
performance so go for the first one).
> Now, that is cool!
>
> Thanks for your answer - I'll come back if I have further questions :-)
Basically, get the pam module to authenticate, you could even write one
that checks if the group is there on pam_acct_mgmt() and then do
whatever you want to do to restrict or allow access. But since what you
want to do is some sort of ACLs... your application should be doing
that, and for that, just use getgrouplist(). This, if of course you told
nss to read through other databases... ie: ldap? install nss_ldap and
add in nsswitch.conf the ldap entries.
Hope I'm not being confusing... :-)
Kind regards,
Jose
More information about the Pam-list
mailing list