PAM: How to test non-local group membership (LDAP, SQL, ...)?
Brian Schau
brian.schau at hp.com
Sun Jun 10 20:30:27 UTC 2007
Hello,
I am about to extend an application to support PAM. I have worked with
PAM before as a System administrator, a module programmer and as an
application programmer.
However, the application I am going to extend is using a somewhat
advanced authentication scheme which I am not sure how to support in
PAM. I would very much like to be corrected.
Here's the deal. A user is authenticated using a username and a
password when the user logs on. When authenticated the user can use
most of the functions presented in the program. Certain functions re-
quires say administrator rights. Other functions requires Advanced
Operator rights.
The above is a describtion of a trivial group design - a user can belong
to one or more groups.
The above scheme works well using the /etc/passwd and /etc/group files -
"manual" parsing is done.
But how do I expand this scheme to use say LDAP or a SQL database?
The code is written mostly in Java. I've create a jni interface which,
when given a username and password returns true for authenticated and
false for rejected.
I am unsure how to test for the group membership - I guess it is fairly
trivial if the group info is stored locally (I can probably use the pam_
group module for that), but how should I do it if the group info is
stored in a LDAP or SQL database?
I really feel that I am missing something pretty obvious here!
(Perhaps I've been looking to deep into c, java and jni to focus on the
capabilities of PAM ... :-)
Kind regards,
Brian
More information about the Pam-list
mailing list