In my aaa xml file i have defined guest, admin and oper user groups. Based on that in the aaa_init.xml i have defined and created rules.
Now i wanted to introduce PAM as one of the authentication methods. But with PAM the user group is not in my control, let suppose PAM defines user group as device-admins, device-opers, etc. Now how shall i let confd map that device-admins should be mapped to the admin user group and apply the configuration rules as admin.
Is there any one to one mapping available for the PAM groups and the aaa user groups ?
To use PAM for authentication, you will want to remove all users and groups information from the aaa initialization XML file. The groups information as defined in the group assignment file (/etc/group) in your Operating System, such as Linux, that corresponds to the user being authenticated will be used for the group assignment upon login. More information on PAM authentication can be found in Chapter 14.4.3, PAM, of the ConfD User Guide.
I would like to have PAM + local authentication so in case if the PAM fails confd should try the local authentication and assign the user and groups. Hence i could not remove all the user groups from the aaa init file.
The requirement would be when the PAM success i get the group and assign the group to one of the groups in the aaa (admin/oper/guest).
You can choose to retain the users information in your aaa initialization file when PAM is also enabled. To use both local authentication and PAM, you can use /confdConfig/aaa/authOrder in confd.conf to specify the order that they should be tried. The group information for the users in the case of PAM will come from PAM. You just need to make sure those same groups are being configured in ConfD for authorization.
Hi waitai,
i think i am not clear with my question.
I have already enabled the order in authentication.
i have pam and local authentication.
In local authentication i have groups like “Admin/Oper/guest”, but in PAM i have Groups like “device-admins/device-opers/device-guest”, I have wrote various rules for admin/guest/oper in the aaa file.
Now when the PAM comes in picture i wanted to get the group from PAM eg device-admins and map it to the admin group which i previously created for local authentication. is that mapping possible in confd.
Thats my question. ?
Is this still the same or do we have now provision to map pam group to nacm groups ?. Btw the reason for the same is we can’t add rules on the fly for new groups am I rt ?. Is there a provision to do so ?.