[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

userid and groups questions



My appologies for two seemingly elementary questions:

Q1) In a configuration with multiple authentication modules, how do I know
(or force) which module sets the userid.  pam_authenticate() takes a userid,
but that doesn't prevent some module for asking the conversation for a
userid. Say 3 modules authenticate agains 3 different authentication
mechanisms - each with different account databases. Each one can ask for and
get a different userid - and then set it throught pam_set_user() (or
pam_set_item()?). How do I know or force which module sets the userid. In
general do you always assume it is the last in the auth stack?

Q2) How does my PAM-enabled application obtain a list of groups to which a
PAM authenticated user belongs? The list of group is tied to a PAM module.
For example, I may have a pam_myauth module followed by a pam_pwdb module. I
want to get a list of groups for this user from both authentication
mechanism. There doesn't seem to be a standard way to set or get group
membership from a pam module's authentication mechanism. I think
pam_sm_set_cred() should set a standard pam item called PAM_GROUPS, then any
module can append its groups to that item. My app just calls
pam_get_item(PAM_GROUPS) to retrieve all groups from all authentication
mechanisms.

Thanks for your help in understanding.

Scott Rachels



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []