Hmm - you mention pam module ... I am PAMifying an existing application,
ie. using the PAM Application interface (not a module).
Will this present any problem?
I am having the basic PAM authentication up and running. I can switch
pam config files so that I authenticate using ldap or a sql database ...
... so I "only" needs the group part. I have to look into nsswitch later
(hopefully tonight .. :-)
/brian
Jose Plans wrote:
On Mon, 2007-06-11 at 09:59 +0200, Brian Schau wrote:
You should use the (g)libc functions to determine group membership. You don't
have to know if the user database is in sql, ldap, db, etc.
Ok, so if I understand you correctly I can use PAM to authenticate the
user (f.ex. in LDAP) and then use the libc functions to verify the group
membership as if that information was present locally on the server?
That's it, nss is your friend. Check for getgrouplist(3), otherwise do
some nasty checks on getgrent + strcmp on gr_mem[] (that will just kill
performance so go for the first one).
Now, that is cool!
Thanks for your answer - I'll come back if I have further questions :-)
Basically, get the pam module to authenticate, you could even write one
that checks if the group is there on pam_acct_mgmt() and then do
whatever you want to do to restrict or allow access. But since what you
want to do is some sort of ACLs... your application should be doing
that, and for that, just use getgrouplist(). This, if of course you told
nss to read through other databases... ie: ldap? install nss_ldap and
add in nsswitch.conf the ldap entries.
Hope I'm not being confusing... :-)
Kind regards,
Jose
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
