PAM: How to test non-local group membership (LDAP, SQL, ...)?
Brian Schau
brian.schau at hp.com
Mon Jun 11 13:21:03 UTC 2007
Hmm - you mention pam module ... I am PAMifying an existing application,
ie. using the PAM Application interface (not a module).
Will this present any problem?
I am having the basic PAM authentication up and running. I can switch
pam config files so that I authenticate using ldap or a sql database ...
... so I "only" needs the group part. I have to look into nsswitch later
(hopefully tonight .. :-)
/brian
Jose Plans wrote:
> On Mon, 2007-06-11 at 09:59 +0200, Brian Schau wrote:
>>> You should use the (g)libc functions to determine group membership. You don't
>>> have to know if the user database is in sql, ldap, db, etc.
>> Ok, so if I understand you correctly I can use PAM to authenticate the
>> user (f.ex. in LDAP) and then use the libc functions to verify the group
>> membership as if that information was present locally on the server?
>
> That's it, nss is your friend. Check for getgrouplist(3), otherwise do
> some nasty checks on getgrent + strcmp on gr_mem[] (that will just kill
> performance so go for the first one).
>
>> Now, that is cool!
>>
>> Thanks for your answer - I'll come back if I have further questions :-)
>
> Basically, get the pam module to authenticate, you could even write one
> that checks if the group is there on pam_acct_mgmt() and then do
> whatever you want to do to restrict or allow access. But since what you
> want to do is some sort of ACLs... your application should be doing
> that, and for that, just use getgrouplist(). This, if of course you told
> nss to read through other databases... ie: ldap? install nss_ldap and
> add in nsswitch.conf the ldap entries.
>
> Hope I'm not being confusing... :-)
> Kind regards,
>
> Jose
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list