UW Groups Workaround
The Problem
- We want to use UW Groups for access control of NetID users.
- Login access - who is allowed to log in.
- Session access (i.e. post-login) to directories, files or services.
- But we cannot directly query NetID users' group memberships
- UWWI policy denies read access to users' group membership attributes
- However, member attributes of our UWGS groups are readable and can be enumerated
The Work-Around
- This work-around assumes we have created two groups in UWGS
- A group of names of users that will be allowed to log in
- A group of names of users to be granted extra privileges in post-login session
- For our work-around we must maintain copies of the membership list of each of our UWGS groups in local files.
- For each UWGS group of interest
- Query the UWWI to enurate the members of the group
- Save enumerated names to a local file
- Update periodically
- Repeat group enumeration query and save to a local temporary file
- Compare name list in temporary file to see if there have been any changes
- If list has changed, then overwrite the local file with the temp file
- We configure the pam_listfile module to grant login access to UWGS group members
- We configure the pam_group module to map UWGS group members with local unix groups
Configuration Files and Scripts
For the purpose of this example we have created these UWGS groups:
- A UWGS group whose members are allowed to log in. This group is named 'uw_chem_nmr_users'.
- Another UWGS group whose users are granted extra privileges. This group is named 'uw_chem_nmr_admins'.
The following URLs link to the configuration files and scripts which implement our workaround.
- /etc/pam.d/system-auth The relevant pam configuration file
- /etc/netid.allow The list of netids in our chem_nmr_users UWGS group. These are the NetIDs that we allow to log on, per pam_listfile module. This file is generated and updated by the scripts below
- /etc/security/group.conf A mapping of our UWGS chem_nmr_admins group members to local unix security groups for the purpose of group based access control, as implemented by the pam_group module. This file is generated and updated by the scripts below
- uwgs_sync.sh A shell script that is run as a cron job to update the local membership list files
- uwgs_sync.pl A perl script, called from the above shell script, that queries the UWWI to fetch the UWGS membership lists