Description of problem:
One of my customers is trying to use LDAP netgroups to limit user access to the
client. When I had Nalin look into the feasibility of doing this in RHEL, he
discovered that none of the modules (including pam_ldap) support access control
He also pointed out that it wouldn't be too much work to implement it, and that
it would be a good candidate for going in during an update cycle.
Specifically, once you have a user name and a host name, and assuming nss_ldap's
working, you can call the libc function innetgr() to check for membership.
Should netgroup support be added to pam_listfile as well or other modules
This way netgroup authentication can be more broadly deployed (e.g. NIS, NIS+, etc).
There is some netgroup support in pam_access (matches @netgroup) however I don't
know if it's sufficient or even working.
There is also yp_get_default_domain() call and the domain obtained is always
passed as the domain parameter to the innetgr function.
Oddly enough we have a different customer who is attempting to use pam_access to
enforce a requirement on membership in a netgroup, and they're running afoul of
pam_access's assumption that there should be a controlling terminal. Something
like pam_listfile or pam_succeed_if would work much better for them, but neither
currently supports netgroups.
One thing to keep in mind about glibc is that netgroups in general aren't tied
to NIS, so yp_get_default_domain() can fail even when netgroups are available,
for example in /etc/netgroup. What value is appropriate for the "domain" in
this case is open to question, but the matching works even if you're using local
I know about this problem with no controlling tty and pam_access and I've
already proposed a patch for it - see bug 168276.
The yp_get_default_domain() failure doesn't break the netgroup match since
domain is set to NULL then and this is wildcard matching any domain in the
Tom, what are the exact requirements for netgroup matching they have?
The pam_access module can call innetgr for both user and host name but it is
called separately. So if you configure it for user name it is called with
hostname as a wildcard (innetgr(group, 0, user, domain) and vice versa
(innetgr(group, host, 0, domain)).
So the question is - would be the current support in pam_access sufficient? And
if not which module would be the best to add the support in (pam_succeed_if?).
There is already support in pam_access which should be good enough.
In RHEL 4 U3 netgroups will be supported also in pam_succeed_if module.