Re: pam authentication based on group membership
Uhh, I found it and will describe it here for anyone else who might
encounter the same problem.
Stefan Radomski wrote:
Hi there,
I have libpam-ldap running with libnss-ldap just fine, now I want to
have different user groups for the several services like imap, smtp and
others. I have read the description for the libpam-modules, but none
seems to solve the problem.
pam_listfile does, just create some acl with one identifier per line,
where an identifier can be a groupname, a username or something else as
described here:
http://www.linuxdevcenter.com/pub/a/linux/excerpt/lsckbk_chap1/index3.html
[-- snip --]
narf:/# cat /etc/acl/imap
#used by /etc/pam.d/imap - a list of groups to be member of to use imap
imap
narf:/# cat /etc/pam.d/imap
#%PAM-1.0
#auth sufficient /lib/security/pam_ldap.so
#auth required /lib/security/pam_unix_auth.so try_first_pass
#account sufficient /lib/security/pam_ldap.so
#account required /lib/security/pam_unix_acct.so
auth required /lib/security/pam_listfile.so file=/etc/acl/imap
item=group sense=allow onerr=fail
@include common-auth
@include common-account
[-- snip --]
that will only allow members of the group imap to authenticate via imap.
hth
stefan
Reply to: