On Aug 3, 2015, at 11:45 PM, JCA <1.41421@gmail.com> wrote:
What's with the one letter acronyms? It just makes things harder to understand.
It's for conciseness - it's simpler to write R than "RADIUS server" every time. My apologies if this misled you.
It doesn't mislead. It's confusing and broken. "l33t" speak isn't useful, and is discouraged on this list.
It's not "l33t" speak; it's compact notation in order to keep things short and to the point. My apologies if that confuses you.
What you want is impossible to do. PAM is designed to do authentication. You CANNOT set group membership with PAM.
You can't, or you shouldn't?
I distinctly recall writing CANNOT.
What prevents one from writing a PAM module (or modifying an existing one) so that it will receive group information from the RADIUS server and modify /etc/group accordingly before returning to the caller?
Reality?
Writing to /etc/group is forbidden. For very good reasons.
Alan DeKok.
Well, I have just tried (as root, in CentOS) to edit /etc/group by hand, and I had no problems. Is it not the case that if the RADIUS PAM module runs as root, it will also be able to do so?