Jesse Guardiani wrote:
Hello, Please see attached for a patch to mod_auth_pam that adds extended group auth support to mod_auth_pam. In other words, this patch allows you to auth by ANY group a user is a member of, not just their primary group. I wrote this patch because I needed extended group auth functionality to seemlessly integrate my Subversion server with my W2K PDC using winbind. My network policy states that any user who is a member of the "staging" windows group should have login access to the Subversion server. The user's primary group is the "Domain Users" group by default, so I couldn't use the stock mod_auth_pam code as I needed to auth by an extended group - "staging". I noticed that Samba didn't have any trouble auth'ing by extended groups, so I set out to port the Samba /etc/group auth code to mod_auth_pam. This patch is the result of that. However, note that I found a bug in the Samba 3.0.21c code, so it's a little different than that code. I plan to submit a bug fix to the samba project shortly if the bug still exists in their source (I wrote this patch over a month ago, so I'm not sure about the current state of things). If you'd like to compare this patch to the samba code, take a look at the validate_group() function in source/smbd/password.c Anyway, this code has been stable for a month on my production Subversion server and in daily use by 3 programmers, so "it works for me". Unfortunately, it still has a bit of Samba cruft attached to it, like safe_string.h and safe_strcpy_fn(). I simply do not have the time to refactor this code and remove this samba baggage. I hope this is useful for someone. Is there a chance it can make it into the next mod_auth_pam release?
I've received zero feedback on this, other than the message from Andreas Schindler stating that there was a better way, offering example code even, but then never sending said example code when I requested it. When I was researching the problem before I wrote this patch, I saw a lot of SVN folks stumbling over mod_auth_pam because they thought it already did what this patch allows it to do. I think it's valuable. What's the verdict? -- Jesse Guardiani Programmer/Sys Admin jesse@xxxxxxxxxxxx _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
