PAM: How to test non-local group membership (LDAP, SQL, ...)?
- Subject: PAM: How to test non-local group membership (LDAP, SQL, ...)?
- From: Brian Schau <brian.schau@xxxxxx>
- Date: Sun, 10 Jun 2007 22:30:27 +0200
- Organization: Hewlett Packard
- User-agent: Thunderbird 2.0.0.0 (Windows/20070326)
Hello,
I am about to extend an application to support PAM. I have worked with
PAM before as a System administrator, a module programmer and as an
application programmer.
However, the application I am going to extend is using a somewhat
advanced authentication scheme which I am not sure how to support in
PAM. I would very much like to be corrected.
Here's the deal. A user is authenticated using a username and a
password when the user logs on. When authenticated the user can use
most of the functions presented in the program. Certain functions re-
quires say administrator rights. Other functions requires Advanced
Operator rights.
The above is a describtion of a trivial group design - a user can belong
to one or more groups.
The above scheme works well using the /etc/passwd and /etc/group files -
"manual" parsing is done.
But how do I expand this scheme to use say LDAP or a SQL database?
The code is written mostly in Java. I've create a jni interface which,
when given a username and password returns true for authenticated and
false for rejected.
I am unsure how to test for the group membership - I guess it is fairly
trivial if the group info is stored locally (I can probably use the pam_
group module for that), but how should I do it if the group info is
stored in a LDAP or SQL database?
I really feel that I am missing something pretty obvious here!
(Perhaps I've been looking to deep into c, java and jni to focus on the
capabilities of PAM ... :-)
Kind regards,
Brian
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Fedora Users]
[Kernel]
[Red Hat Install]
[Linux for the blind]
[Gimp]
