PAM authentication for groups


I have to enable pam authorization for confd.
I have enable the authOrder so as to have at first pam and then localauthorization.
Thus groups have remained in aaa_init file.

Now I have one question.
These groups should be present in operating system under /etc/group.
Is there any altrenative path in operating system that group data should be retrieved? Or this is the only path that is used for authorization?



The group membership (discovery) is described in ConfD user Guide 14.5

By default, the user is assigned to groups by using any groups
provided by the northbound transport (e.g. via the
confd_cli  or netconf-subsys  programs), by consulting data under
/nacm/groups, by consulting the   /etc/group file, and by using any additional
groups supplied by the authentication method. If   /nacm/enable-external-groups is set to "false",
only the data under /nacm/groups is consulted.

The resulting group assignment is the union of these  methods, if it is non-empty.  Otherwise, the default group is   used, if configured (/confdConfig/aaa/defaultGroup  in confd.conf ).

As it mentions only /etc/group file, I’d assume there is no other path in OS that is used.

Well, to be really precise, it uses the libc getgrent(3) etc functions, which according to a Linux man page accesses “the group database (e.g., the local group file /etc/group, NIS, and LDAP)”. I.e. it is typically the /etc/nsswitch.conf file that determines where the info comes from.