[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



Thank you for all your responses:

I agree that nss functions are the best way to get UNIX group membership,
but say some 3rd party authentication system has its own database of group
membership (defines its own groups and assigns its users to those groups).
If I have a pam module that authenticates to this 3rd party, I want to add
the authenticated user's groups (not Unix groups, but 3rd party auth system
groups) to a standard list.

Thanks
Scott

----- Original Message -----
From: Andrew Morgan <morgan@transmeta.com>
To: <pam-list@redhat.com>
Sent: Thursday, September 23, 1999 11:14 PM
Subject: Re: userid and groups questions


> Scott Rachels wrote:
> > My goal is not to SET uid or gid. My goal is to RETRIEVE the uid and set
of
> > groups to which the uid belongs for any given authentication system. I'm
> > implementing an access control system that uses PAM to authenticate a
user.
> > I want to a) query the uid authenticated by PAM and b) query the list of
> > groups to which the uid belongs. My acceess control system will then
search
> > for acls in my acl table that grant or deny rights to that uid or its
> > groups.
>
> PAM has an item for PAM_USER -> username.
>
> POSIX takes care of the username->uid,gids mapping.
>
> getpwnam(username) -> uid for username;
>
> foreach gid {
>   getgrgid(gid) -> not very efficient method for identifying all of the
> users groups
> }
>
> > It seems like a PAM module should be able to set a PAM_GROUP environment
> > item in the pam_sm_setcred() function. My applicatoin should then be
able to
> > get that item. How can I do this? Any authentication system may
potentially
>
> This is pretty similar to what libpwdb was all about... (sic) It hasn't
> made much progress, the glibc nss stuff has, so I'd recommend you look
> at that and see if you can do what you want with some custom nss module.
>
> > Also, I didn't understand your answer in regards to my 1st question. I
have
> > pasted it below. I'm still not sure if I have two authentication
mechanisms
> > configured in my PAM stack, how do I know or force which one sets the
> > PAM_USER item?
>
> You should always use the pam_get_user() function. This basically does
> the right thing.
>
> > > Q1) In a configuration with multiple authentication modules, how do I
know
> > > (or force) which module sets the userid.  pam_authenticate() takes a
> > userid,
>
> By userid, if you mean username, then pam_get_user() is the right way to
> go. As Steve L. pointed out, 'enforcing' a no-change policy is a little
> hard given that the whole PAM thing runs in the context as the
> application.
>
> > > but that doesn't prevent some module for asking the conversation for a
> > > userid. Say 3 modules authenticate agains 3 different authentication
> > > mechanisms - each with different account databases. Each one can ask
for
> > and
> > > get a different userid - and then set it throught pam_set_user() (or
>
> There isn't a pam_set_user() function. Perhaps you've read a typo
> somewhere and been confused? If so, tell me where -- I'd like to fix it.
>
> > > pam_set_item()?). How do I know or force which module sets the userid.
In
> > > general do you always assume it is the last in the auth stack?
>
> pam_get_user() only asks the user for a username if PAM_USER is not set,
> if PAM_USER is available, you get that one. If that function didn't
> exist, you would do something like:
>
>   pam_get_item(..., PAM_USER, ... &username)
>   if (username == NULL) {
> ... set up a conversation for the username ...
>         pam_set_item(... PAM_USER, username);
>   }
>
> I hope this clarifies things.
>
> Cheers
>
> Andrew
>
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com <
/dev/null
>
>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []