PAM User Authentication with NACM groups

The Conf-D user guide Section 18.5 indicates that PAM Authentication can be used to authenticate the user and group membership can be determined by /nacm/groups. More specifically, I want to ignore the group/gids provided by PAM/Linux and determine group membership via /nacm/groups only. In this case, there is no relationship between the PAM/Linux groups and /nacm/groups.

Please see below. I’ve added the ‘netconf-admin’ user to the ‘admin’ group in aaa_init.xml. However, Conf-D is still assigning group membership according to PAM.

Is there a way to configure Conf-D to ignore the group information returned from PAM and only use /nacm/groups?

cat  /opt/confd/var/confd/cdb/aaa_init.xml
<config xmlns="http://tail-f.com/ns/config/1.0">

    ...
  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <write-default>permit</write-default>
    <groups>
      <group>
        <name>admin</name>
        <user-name>admin</user-name>
        <user-name>private</user-name>
        <user-name>netconf-admin</user-name>
      </group>
      ...
<INFO> 7-Sep-2022::13:24:10.478 hp confd[2385729]: audit user: [withheld]/0 local authentication failed via netconf from 10.2.10.20:49452 with ssh: no such local user
<INFO> 7-Sep-2022::13:24:10.508 hp confd[2385729]: audit user: netconf-admin/0 pam authentication succeeded via netconf from 10.2.10.20:49452 with ssh
<INFO> 7-Sep-2022::13:24:10.510 hp confd[2385729]: audit user: netconf-admin/0 logged in via netconf from 10.2.10.20:49452 with ssh using pam authentication
<INFO> 7-Sep-2022::13:24:10.524 hp confd[2385729]: audit user: netconf-admin/14 assigned to groups: netconf-admin
<INFO> 7-Sep-2022::13:24:10.524 hp confd[2385729]: audit user: netconf-admin/14 created new session via netconf from 10.2.10.20:49452 with ssh

Regards,
Matt

But ConfD does ignore group information from PAM (in particular because PAM does not really provide that). I don’t know where did the netconf-admin group appeared, but similar configuration worked for me (and user netconf-admin was assigned to the group admin).

OK, netconf-admin was my Linux username as well as the default group for this user. I now see that ConfD does in fact use groups from ietf-netconf-acm.

There was some confusion on my part with the behavior of the ietf-netconf-acm module when accessing data from a remote NETCONF session. When I issue a from a remote NETCONF session, no data is returned for this module. However, when I issue a get from netconf-console running locally on the server hosting Conf-D, data is returned for the NACM tables.

Is there something blocking NACM data from being retrieved from remote NETCONF sessions?

Also, is there a way to manage NACM configuration outside of NETCONF and the CLI using tool provided with confd?

No, I’m not aware of any blocking like that. You can make ConfD’s NETCONF server to listen only on 127.0.0.1 so any connections from remote hosts would be rejected, maybe that is the problem?

Tools like confd_cmd and confd_load use MAAPI (MAnagement API) that can manage any configuration, including NACM. See man confd_cmd and confd_cmd -h, similarly for confd_load.

I’m having some issues retrieving the NETCONF nacm data using confd_cmd. I’m able to get nacm using netconf-console with an xpath filter, but not confd_cmd.

Is there anything special I need to put in the confd_cmd path to retrieve data from NETCONF tables?

$ confd_cmd -c 'get  /nacm'
FAILED: cdb_get(cs, &val, argv[0]), Error: badly formatted or nonexistent path (8): Typeless element, in function do_cdb_get, line 394

$ confd_cmd -c 'get  /nacm:nacm'
FAILED: cdb_get(cs, &val, argv[0]), Error: badly formatted or nonexistent path (8): Typeless element, in function do_cdb_get, line 394
$ netconf-console --host localhost --port 830 --get -x /nacm
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <data>
    <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
      <write-default>permit</write-default>
      <enable-external-groups>false</enable-external-groups>
      <denied-operations>0</denied-operations>
      <denied-data-writes>0</denied-data-writes>
      <denied-notifications>0</denied-notifications>
      <groups>
        <group>
          <name>admin</name>
          <user-name>admin</user-name>
          <user-name>netconf-admin</user-name>
          <user-name>private</user-name>
        </group>
  ...

The “get” command is a cdb_get() command. The path used with cdb_get() must lead to a leaf element. See the confd_lib_cdb(3) man page under cdb_get() for details.

The source code for the confd_cmd tool can be found under $CONFD_DIR/src/confd/tools/confd_cmd.c

I believe you want to use the confd_load tool that uses maapi_save_config() to get the data. For example,. confd_load -Fp -p /nacm. See the confd_load(1) man page and the $CONFD_DIR/src/confd/tools/confd_load.c source code for details.