[pmwiki-users] Group-aware authentication via PAM
Patrick R. Michaud
pmichaud at pobox.com
Wed Jun 7 10:27:19 CDT 2006
On Tue, Jun 06, 2006 at 09:26:41PM +0200, Dave Kliczbor wrote:
> Hello out there!
>
> I'm new to PmWiki and this list, but I have searched the Cookbook and
> the list archives without a satisfactory answer...
>
> I'm trying to achieve group-aware auth via PAM.
>
> That means: I have a bunch of UN*X accounts, organized in 10 or so UN*X
> user groups. One user may be in more than one group. The file access
> model on the server already use this scheme. I just want be able to say
> in PmWiki "This Page (or PageGroup) should only be writeable for the
> UN*X group xyz".
For a variety of security reasons, PHP and Apache don't have easy ways
to get Unix group or account information.
My guess is that we'd have to parse the group memberships directly out
of /etc/group somehow (this of course assumes that /etc/group is
accessible to your webserver, and that group memberships are being
maintained there).
If you can run the Apache mod_auth_pam module, then Apache can take
care of identification and authentication (i.e., determining a valid
userid from the Unix accounts). Once we have the valid userid, it
shouldn't be too hard to scan /etc/group to determine the group
memberships.
I'd be leery of using the PHP pam_auth module, as it's very old
and designed for much older versions of PHP. But that's just my
paranoia. :-)
> Is it in any way possible? If not, where can I start to write my own
> auth script? Is UserAuth necessary? Or should I start from AuthUser?
If writing your own auth script, I think you'll find that AuthUser
is a lot simpler to work with -- it's designed to support multiple
independent authentication schemes.
Pm
More information about the pmwiki-users
mailing list