NACM External Groups #654
Description
RFC8341 (NACM) states that the user-to-group mapping can be delegated to a central server, such as a RADIUS server. Since authentication is performed by the transport layer and RADIUS performs authentication and service authorization at the same time, the underlying transport protocol needs to be able to report a set of group names associated with the user to the server.
And, when "enable-external-groups" global switch is set to "true", the group names reported by the transport layer for a session are used together with the locally configured group names to determine the access control rules for the session.
Do you have in mind implementing the following use-cases when "enable-external-groups" switch is set to "true"?
-
CLICON_NACM_CREDENTIALS = 'exact' scenario. UID and GID (primary group) are passed between clients and backend if they use UNIX socket for communication. NACM decision is based on a group name (GID mapped) of a user.
-
CLICON_NACM_CREDENTIALS = 'none' scenario. Username and group names are passed either as attributes of the top element in a NETCONF request, or impersonated by clixon_cli -U -G options. The same here, the group name defines NACM rule to be applied, and the username is logged and shown by backend.