PAM NIS authorisation module

Synopsis

Module Name:: pam_nis.so
Author:: Peter Benie <pjb1008@cam.ac.uk>
Maintainer:: Author.
Management groups provided:: authentication; account
Cryptographically sensitive:
Security rating:
Clean code base:: Compiles cleanly, but uses some typecasts to cope with NIS library routines with incorrect declarations.
System dependencies:
Network aware:: Uses Network Information Service (also known as Yellow Pages)

Overview of module

The purpose of this module is to provide account management using NIS maps. This module is similar in function to pam_listfile.so.

Authentication component

Recognised arguments:

Description:

This module uses the item as a key in the given NIS map in the specified domain to extract a list of groups that the user is in. If value is specified, the module checks that the groups include that value, otherwise only the existence of the key in the map is tested. If the test is sucessful, the module returns success or failure depending on the value of sense. On failure, the module returns an error based on error, which defaults to PAM_AUTH_ERR. If item is not specified, user is used. If domain is not specified, the default domainname for the machine is used. For testing purposes only, onerr=succeed will cause the module to succeed if there is a problem parsing the arguments, etc. The default if onerror=fail.

Examples/suggested usage:

  auth       sufficient     /lib/security/pam_nis.so \
             item=user sense=allow map=users.byname value=compsci
  auth       required     /lib/security/pam_deny.so

Account component

Recognised arguments:

Description:

As authentication component, above, except for the default error return which is PAM_PERM_DENIED.

Examples/suggested usage:

  account    required       /lib/security/pam_nis.so \
             item=user sense=deny map=cancelled.byname error=expired