headers
Dallas Clement | 4 Jun 2007 20:10
Picon

undefined reference to 'yywrap' while compiling PAM

Hello All,

I'm having a devil of a time compiling PAM.  I keep running into the
following error:

/home/dallas/downloads/Linux-PAM-0.99.7.1/lex.yy.c:1100: undefined
reference to `yywrap'

I'm cross-compiling to a i686 target from a Debian 4.0 system.

I've searched all over the Internet looking for answers.  Some say that
you should downgrade your 'flex' package to make this go away.  I did so
to 2.5.4 and it still didn't make any difference.

Can anyone please advise on how to overcome this error?

Thanks,

Dallas Clement
Permalink | Reply | 0 comments |
headers
Brian Schau | 10 Jun 2007 22:30
Picon
Favicon

PAM: How to test non-local group membership (LDAP, SQL, ...)?

Hello,

I am about to extend an application to support PAM.  I have worked with
PAM before as a System administrator, a module programmer and as an
application programmer.

However, the application I am going to extend is using a somewhat
advanced authentication scheme which I am not sure how to support in
PAM.  I would very much like to be corrected.

Here's the deal.   A user is authenticated using a username and a
password when the user logs on.   When authenticated the user can use
most of the functions presented in the program.  Certain functions re-
quires say administrator rights.  Other functions requires Advanced
Operator rights.

The above is a describtion of a trivial group design - a user can belong
to one or more groups.

The above scheme works well using the /etc/passwd and /etc/group files -
"manual" parsing is done.

But how do I expand this scheme to use say LDAP or a SQL database?

The code is written mostly in Java.  I've create a jni interface which,
when given a username and password returns true for authenticated and
false for rejected.
I am unsure how to test for the group membership - I guess it is fairly
trivial if the group info is stored locally (I can probably use the pam_
group module for that), but how should I do it if the group info is
(Continue reading)

Permalink | Reply | 6 comments |
headers
Andreas Hasenack | 11 Jun 2007 00:17
Picon
Favicon

Re: PAM: How to test non-local group membership (LDAP, SQL, ...)?

On Sunday 10 June 2007 17:30:27 Brian Schau wrote:
> trivial if the group info is stored locally (I can probably use the pam_
> group module for that), but how should I do it if the group info is
> stored in a LDAP or SQL database?
>
> I really feel that I am missing something pretty obvious here!
> (Perhaps I've been looking to deep into c, java and jni to focus on the
> capabilities of PAM ... :-)

You should use the (g)libc functions to determine group membership. You don't 
have to know if the user database is in sql, ldap, db, etc.

Those functions will transparently search those databases if the machine has a 
correctly configured /etc/nsswitch.conf file + the database modules. It's 
transparent for your application. Which means the way you are doing it now, 
manually parsing the /etc/group file, is wrong. You should be using those 
functions from the start.
Permalink | Reply | 5 comments |
headers
Brian Schau | 11 Jun 2007 09:59
Picon
Favicon

Re: PAM: How to test non-local group membership (LDAP, SQL, ...)?

> You should use the (g)libc functions to determine group membership. You don't 
> have to know if the user database is in sql, ldap, db, etc.

Ok, so if I understand you correctly I can use PAM to authenticate the
user (f.ex. in LDAP) and then use the libc functions to verify the group
membership as if that information was present locally on the server?

Now, that is cool!

Thanks for your answer - I'll come back if I have further questions :-)
Permalink | Reply | 4 comments |
headers
Andreas Hasenack | 11 Jun 2007 14:34
Picon
Favicon

Re: PAM: How to test non-local group membership (LDAP, SQL, ...)?

On Mon, Jun 11, 2007 at 09:59:40AM +0200, Brian Schau wrote:
> > You should use the (g)libc functions to determine group membership. You 
> > don't have to know if the user database is in sql, ldap, db, etc.
> 
>  Ok, so if I understand you correctly I can use PAM to authenticate the
>  user (f.ex. in LDAP) and then use the libc functions to verify the group
>  membership as if that information was present locally on the server?

Yes, this second step would be in the account section.
Note that you should be doing the authentication with a database
specific module, like pam_ldap, pam_mysql, etc. Because for auth, these
users won't be in local files either.
Permalink | Reply | 0 comments |
headers
Jose Plans | 11 Jun 2007 14:58
Picon
Favicon

Re: PAM: How to test non-local group membership (LDAP, SQL, ...)?

On Mon, 2007-06-11 at 09:59 +0200, Brian Schau wrote:
> > You should use the (g)libc functions to determine group membership. You don't 
> > have to know if the user database is in sql, ldap, db, etc.
> 
> Ok, so if I understand you correctly I can use PAM to authenticate the
> user (f.ex. in LDAP) and then use the libc functions to verify the group
> membership as if that information was present locally on the server?

That's it, nss is your friend. Check for getgrouplist(3), otherwise do
some nasty checks on getgrent + strcmp on gr_mem[] (that will just kill
performance so go for the first one).

> Now, that is cool!
> 
> Thanks for your answer - I'll come back if I have further questions :-)

Basically, get the pam module to authenticate, you could even write one
that checks if the group is there on pam_acct_mgmt() and then do
whatever you want to do to restrict or allow access. But since what you
want to do is some sort of ACLs... your application should be doing
that, and for that, just use getgrouplist(). This, if of course you told
nss to read through other databases... ie: ldap? install nss_ldap and
add in nsswitch.conf the ldap entries.

Hope I'm not being confusing... :-)
Kind regards,

      Jose
Permalink | Reply | 2 comments |
headers
Brian Schau | 11 Jun 2007 15:21
Picon
Favicon

Re: PAM: How to test non-local group membership (LDAP, SQL, ...)?

Hmm - you mention pam module ... I am PAMifying an existing application,
ie. using the PAM Application interface (not a module).

Will this present any problem?

I am having the basic PAM authentication up and running.  I can switch
pam config files so that I authenticate using ldap or a sql database ...

... so I "only" needs the group part. I have to look into nsswitch later
(hopefully tonight .. :-)

/brian

Jose Plans wrote:
> On Mon, 2007-06-11 at 09:59 +0200, Brian Schau wrote:
>>> You should use the (g)libc functions to determine group membership. You don't 
>>> have to know if the user database is in sql, ldap, db, etc.
>> Ok, so if I understand you correctly I can use PAM to authenticate the
>> user (f.ex. in LDAP) and then use the libc functions to verify the group
>> membership as if that information was present locally on the server?
> 
> That's it, nss is your friend. Check for getgrouplist(3), otherwise do
> some nasty checks on getgrent + strcmp on gr_mem[] (that will just kill
> performance so go for the first one).
> 
>> Now, that is cool!
>>
>> Thanks for your answer - I'll come back if I have further questions :-)
> 
> Basically, get the pam module to authenticate, you could even write one
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jose Plans | 11 Jun 2007 15:27
Picon
Favicon

Re: PAM: How to test non-local group membership (LDAP, SQL, ...)?

On Mon, 2007-06-11 at 15:21 +0200, Brian Schau wrote:
> Hmm - you mention pam module ... I am PAMifying an existing application,
> ie. using the PAM Application interface (not a module).
> 
> Will this present any problem?

Not at all, it was just an example, ignore it :) - as I said, better do
pam_start etc. as you are doing to get that application using pam and
since you are doing some sort of ACL.

> I am having the basic PAM authentication up and running.  I can switch
> pam config files so that I authenticate using ldap or a sql database ...
> 
> ... so I "only" needs the group part. I have to look into nsswitch later
> (hopefully tonight .. :-)

heh :-) - that is what you need, once you get nss able to do lookups
against that sql or ldap, you are good to write what you need to write.
Just change /etc/nsswitch.conf to have your dbs in the services you need
and then run getent against them (for example: if you added ldap in
password like password: files ldap, then run : getent password and see
if you are also seeing users from that ldap directory).

     Jose
Permalink | Reply | 0 comments |
headers
Benjamin Kießling | 12 Jun 2007 17:45

User auth with given pwd string

Hi,

I'm working on a project which requires that a password and a username are  
sended
over an network connection (of course encrypted.). Then the user should
be authenticated with his sent password (and username)
  The problem is how can I do this with PAM? Everything I found was about a
authentication over a terminal (the example program in the documentation)
  and the documentation itself doesn't help me.
Knows somebody a solution for my Problem?

Benjamin
Permalink | Reply | 1 comment |
headers
Kenneth Geisshirt | 12 Jun 2007 23:59
Picon
Gravatar

Re: User auth with given pwd string

On Tue, 12 Jun 2007 17:45:15 +0200
Benjamin Kießling <benjaminkiessling <at> bttec.org> wrote:

>   The problem is how can I do this with PAM? 

There exist PAM modules for remote services like LDAP, Active Directory,
and MySQL. If none of these does the job, you can write your own
module which authenticate over the network.  

/kneth

--
Kenneth Geisshirt, M.Sc., Ph.D.   --   http://kenneth.geisshirt.dk/
"Piracy is not a technological issue. It's a behavior issue."   
                                                       --Steve Jobs
Permalink | Reply | 0 comments |

Gmane