PAM: How to test non-local group membership (LDAP, SQL, ...)?
Andreas Hasenack
ahasenack at terra.com.br
Sun Jun 10 22:17:31 UTC 2007
On Sunday 10 June 2007 17:30:27 Brian Schau wrote:
> trivial if the group info is stored locally (I can probably use the pam_
> group module for that), but how should I do it if the group info is
> stored in a LDAP or SQL database?
>
> I really feel that I am missing something pretty obvious here!
> (Perhaps I've been looking to deep into c, java and jni to focus on the
> capabilities of PAM ... :-)
You should use the (g)libc functions to determine group membership. You don't
have to know if the user database is in sql, ldap, db, etc.
Those functions will transparently search those databases if the machine has a
correctly configured /etc/nsswitch.conf file + the database modules. It's
transparent for your application. Which means the way you are doing it now,
manually parsing the /etc/group file, is wrong. You should be using those
functions from the start.
More information about the Pam-list
mailing list