mod_auth_pam extended group auth patch
Jesse Guardiani
jesse at guardiani.us
Thu May 25 21:08:57 UTC 2006
Hello,
Please see attached for a patch to mod_auth_pam that
adds extended group auth support to mod_auth_pam.
In other words, this patch allows you to auth by ANY
group a user is a member of, not just their primary
group.
I wrote this patch because I needed extended group
auth functionality to seemlessly integrate my
Subversion server with my W2K PDC using winbind.
My network policy states that any user who is a
member of the "staging" windows group should have
login access to the Subversion server. The user's
primary group is the "Domain Users" group by default,
so I couldn't use the stock mod_auth_pam code as
I needed to auth by an extended group - "staging".
I noticed that Samba didn't have any trouble auth'ing
by extended groups, so I set out to port the Samba
/etc/group auth code to mod_auth_pam. This patch is
the result of that. However, note that I found a bug
in the Samba 3.0.21c code, so it's a little different
than that code. I plan to submit a bug fix to the
samba project shortly if the bug still exists in their
source (I wrote this patch over a month ago, so I'm
not sure about the current state of things).
If you'd like to compare this patch to the samba
code, take a look at the validate_group() function
in source/smbd/password.c
Anyway, this code has been stable for a month on my
production Subversion server and in daily use by 3
programmers, so "it works for me". Unfortunately, it
still has a bit of Samba cruft attached to it, like
safe_string.h and safe_strcpy_fn(). I simply do not
have the time to refactor this code and remove this
samba baggage.
I hope this is useful for someone. Is there a chance
it can make it into the next mod_auth_pam release?
--
Jesse Guardiani
Programmer/Sys Admin
jesse at guardiani.us
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mod_auth_pam.extended_group_auth_20060525.patch
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060525/4491ad1e/attachment.ksh>
More information about the Pam-list
mailing list