On Mon, 29 Jan 2001, Thomas Delaet wrote: > Hi everyone, > > Can anyone tell me if it's possible to authenticate if a user is member > of certain group and how to do this ? > > For example : I only want to authenticate user x for my imap-mailserver > whose primary group is "users" if he/she is also a member of the group > "mail". Same thing for ssh,ftp,... > > Tnx a lot in advance for any help > > Kind Regards, > -- > Thomas > E-mail: Thomas.Delaet@student.kuleuven.ac.be > I believe that is more properly account-management module then authentication module (as the module would be assuming some other module previously authenticated the user, ie established that he is who he says he is, and then the authorization part (which seems to fall under account-management in PAM model) would be to see if he is a member of one of the allowed groups). I have a module pam_netgroups available at http://www2.physics.umd.edu/~payerle/Software/PAM/ which will do that. pam_listfile will also work I believe. I believe both require an external file listing which groups to allow (or deny) access to the service for. pam_listfile will only work with standard Unix (/etc/group type) groups (but can also match a lot of other properties). pam_netgroups' specialty is that it can base the match on NIS or HESIOD netgroups/maps as well as standard Unix groups. It also allows you to mix usernames with groups in the input file (e.g. allow user mrvip, deny users in group badusers (even if also in mail group) and allow anyone in mail group if not already matched). If you are dealing with standard Unix groups, pam_listfile may suffice and it is already in the standard PAM distribution. Though I don't wish to discourage people looking at my pma_netgroups, either:) Tom Payerle Dept of Physics payerle@physics.umd.edu University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525
