[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: group membership



On Mon, 29 Jan 2001, Thomas Delaet wrote:

> Hi everyone,
> 
> Can anyone tell me if it's possible to authenticate if a user is member
> of certain group and how to do this ?
> 
> For example : I only want to authenticate user x for my imap-mailserver
> whose primary group is "users" if he/she is also a member of the group
> "mail". Same thing for ssh,ftp,...
> 
> Tnx a lot in advance for any help
> 
> Kind Regards,
> -- 
> Thomas
> E-mail: Thomas.Delaet@student.kuleuven.ac.be
> 
I believe that is more properly account-management module then authentication
module (as the module would be assuming some other module previously  
authenticated the user, ie established that he is who he says he
is, and then the authorization part (which seems to fall under
account-management in PAM model) would be to see if he is a member of one of
the allowed groups).

I have a module pam_netgroups available at
 http://www2.physics.umd.edu/~payerle/Software/PAM/
which will do that.  pam_listfile will also work I believe.

I believe both require an external file listing which groups to allow (or
deny) access to the service for.   pam_listfile will only work with standard
Unix (/etc/group type) groups (but can also match a lot of other properties).
pam_netgroups' specialty is that it can base the match on NIS or HESIOD
netgroups/maps as well as standard Unix groups.  It also allows you to mix
usernames with groups in the input file (e.g. allow user mrvip, deny users
in group badusers (even if also in mail group) and allow anyone in mail group
if not already matched).

If you are dealing with standard Unix groups, pam_listfile may suffice and
it is already in the standard PAM distribution.  Though I don't wish to
discourage people looking at my pma_netgroups, either:)

Tom Payerle 	
Dept of Physics				payerle@physics.umd.edu
University of Maryland			(301) 405-6973
College Park, MD 20742-4111		Fax: (301) 314-9525





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []