mod_auth_pam extended group auth patch

Jesse Guardiani jesse at guardiani.us
Thu Jun 15 14:55:30 UTC 2006 

Jesse Guardiani wrote:
> Hello,
> 
> Please see attached for a patch to mod_auth_pam that
> adds extended group auth support to mod_auth_pam.
> 
> In other words, this patch allows you to auth by ANY
> group a user is a member of, not just their primary
> group.
> 
> I wrote this patch because I needed extended group
> auth functionality to seemlessly integrate my
> Subversion server with my W2K PDC using winbind.
> 
> My network policy states that any user who is a
> member of the "staging" windows group should have
> login access to the Subversion server. The user's
> primary group is the "Domain Users" group by default,
> so I couldn't use the stock mod_auth_pam code as
> I needed to auth by an extended group - "staging".
> 
> I noticed that Samba didn't have any trouble auth'ing
> by extended groups, so I set out to port the Samba
> /etc/group auth code to mod_auth_pam. This patch is
> the result of that. However, note that I found a bug
> in the Samba 3.0.21c code, so it's a little different
> than that code. I plan to submit a bug fix to the
> samba project shortly if the bug still exists in their
> source (I wrote this patch over a month ago, so I'm
> not sure about the current state of things).
> 
> If you'd like to compare this patch to the samba
> code, take a look at the validate_group() function
> in source/smbd/password.c
> 
> Anyway, this code has been stable for a month on my
> production Subversion server and in daily use by 3
> programmers, so "it works for me". Unfortunately, it
> still has a bit of Samba cruft attached to it, like
> safe_string.h and safe_strcpy_fn(). I simply do not
> have the time to refactor this code and remove this
> samba baggage.
> 
> I hope this is useful for someone. Is there a chance
> it can make it into the next mod_auth_pam release?


I've received zero feedback on this, other than the message
from Andreas Schindler stating that there was a better way,
offering example code even, but then never sending said example
code when I requested it.

When I was researching the problem before I wrote this patch,
I saw a lot of SVN folks stumbling over mod_auth_pam because
they thought it already did what this patch allows it to do.

I think it's valuable. What's the verdict?


-- 
Jesse Guardiani
Programmer/Sys Admin
jesse at guardiani.us

More information about the Pam-list mailing list