|Posted on Thursday, October 19, 2017 - 2:24 pm: |
Hello, we are installing WebMO on a cluster with thousands of users and have enabled PAM authentication, but want to only allow users from a certain department access WebMO. Right now it appears to let any user with an account on the system to log in. How can we limit this to only certain users (say, ones in a certain system group)?
Post Number: 569
|Posted on Thursday, October 19, 2017 - 3:40 pm: |
PAM authenitcation is handled by the "pam_authenticate.pl" script, which uses the Authen:Simple::PAM Perl module. FYI, the documentation is here: http://search.cpan.org/~chansen/Authen-Simple-PAM-0.2/lib/Authen/Simple/PAM.pm
In particular, it looks like one can pass an argument to specify a particular PAM service. One could set up a PAM service just for WebMO, defining any rules you wanted and let PAM take care of it.
Alternatively, one could edit the "pam_authenticate.pl" script to do a GROUP lookup based on the provided username and reject those not in a particular group, etc.