[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM setting arb parameters



> It is beyond the scope of PAM, yes - but this should mean that PAM
> should pass this data, and not interpret it in any way.

  Maybe I'm missing the meaning of "beyond the scope."  I thought it
*did* mean that PAM should not interpret or pass the data.

> The reason why I'd like PAM to handle this is because actual
> authentication is only part of a login process. In actual
> applications, the authentication part is handled by PAM, however
> credentials are set using machine specific funstions.

  User credentials (home directory, UID, GID, etc.) are set via
/etc/nsswitch.conf, and the various nss libraries, including
nss_ldap.

  Application credentials (IP address, PPP parameters) are set via
application specific methods.  They usually have little or nothing to
do with user credentials.

> As a concrete example, I wanted to install PAM support into the
> Apache webserver, so that I could do basic authentication using
> PAM. The trouble was, to check whether a user was in the required
> group, it used Linux specific calls to determine group membership.

  "man getgrent".  Linux and Solaris.

  It's not optimal, but it will work.

> I think the best suggestion should be the creation of a parallel
> prototol, perhaps called Pluggable Credentials Modules, that would
> do the same as PAM, but for credentials.

  nsswitch.conf seems to do the trick for much of that.  Not all of it
though, but a lot.

  Alan DeKok.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []