Interested in taking over this project? Just send me a message

XAD is a Linux-PAM module. If you want to find more about Linux-PAM visit PAM home page. XAD is used for authentication. The great thing about this module is that is very easy to configure.

Author

XAD was made by Adrian Ber. You can visit the author homepage. XAD is under LGPL license. Here you can find an article on XAD.

The configuration file contains only one condition. The condition can be of two types: basic and composed. The composed condition contains one or more conditions separated by logical operators as 'and' and 'or'. The basic condition has the following form:

[!] [allow|deny] <pam-item> <relational-operator> <value>

• ! is the logical operator not that means this condition must be negated;
• allow|deny tells if the module must allow or deny access according to this condition; if not present allow is implied;
• <pam-item> represent the item in the PAM environment that is checked against the given value; can be one of the following:

  username	the user name that requested authentication
  groupname	the group name of the user that requested authentication
  uid	the user id that requested authentication
  gid	the group id of the user that requested authentication
  ruser	the remote user
  rhost	the remote host
  tty	the termminal
  service	the PAM service
  shell	the user shell
  freeram	the percent of free RAM from the total RAM
  freeswap	the percent of free swap memory from the total swap memory
  loadavg1	the system load average for 1 minute
  loadavg5	the system load average for 5 minutes
  loadavg15	the system load average for 15 minutes

• <relational-operator> is the relational operator that the pam item must fulfill for the given condition; can be one of the following: >, <, >=, <=, ==, != with their known means and 'match' for matching regular expressions; for regular expressions == has the same meaning as match;
• <value> the value that must be checked for the pam item; can be one of the following:

  integer	contains only digits
  double	contains two groups of digits separated by '.'
  string	a string enclosed by '"'(quote)
  regexp	a regular expression that has the syntax 'regexp(<POSIX-syntax-regular-expression>)'

Examples:

(alow username match regexp(r.*t)) or (allow uid == 1)

allows user with names that begins with 'r' and ends with 't', such as 'root' or 'robot' or 'rat' and user with uid 1

(alow username == "limited") and (allow freeram >= 50)

allows user with name "limited" when the RAM is free in a percent bigger than 50

( ( (groupname=="shift1" and hour >= 6 and hour < 14) or (groupname=="shift2" and hour >= 14 and hour < 22) or (groupname=="shift2" and hour >= 22 and hour < 6) ) and (weekday != 6) and (weekday != 0) ) or (groupname == "root")

A company that has three shifts and allows employees only on their shift and not in weekends. The administrators are always allowed.

(groupname == "year1" and weekday == 3 and hour >= 16 and hour < 18) or (groupname == "year2" and weekday == 4 and hour >= 12 and hour < 14) or ... or loadavg1 < ? or username == "root"

In a school students are allowed to login if the machine isn't too loaded or if they have classes.

(weekday >= 1 and weekday <= 5 and hour >= 20 and hour < 7) or (weekday == 6) or (weekday == 0) or (month == 12 and day == 25) /* Christmas */ or (month == 12 and day == 13) /* New Year's Eve */ or (month == 5 and day == 1) /* Labor day */

Users can access service just in week 20:00 - 7:00, weekends and hollidays

To speed up things XAD parses the configuration file and save the condition into an auxiliary data file using an internal format. The next time when will be invoked XAD will check if the configuration file has modified since the last "compilation" and if so will parse it again and will save again the condition into the internal format. If not the condition will be loaded from the auxiliary file. If you want to force XAD to reread this configuration file instead of the auxiliary data file you can delete the auxiliary data file or use the touch command on the configuration file (see man page for more details on touch).

The XAD module accepts the following parameters:

conffile=<conffile>	the absolute path to the configuration file, if not specified then will be /etc/xad.conf
datafile=<datafile>	the absolute path to the auxiliary data file, where the "compiled" configuration file is saved; if not specified will be calculated from the configuration file path as it follows: if the configuration file ends with .conf the "conf" particle will be replaced by "dat"; if the configuration file doesn't end with .conf the "dat" particle will be added to the end of the configuration file path;
onerror=allow|deny	the permission for this module if any error occurs (the configuration file isn't found or cannot be readed, the configuration file generates a parse error, the auxiliary data file cannot be written etc.)

To integrate XAD into PAM system you must add to which PAM service you want to use this authentication module a line like this

auth required /lib/security/libxad.so conffile=/etc/xad.conf datafile=/etc/xad.dat onerror=allow

The condition loaded from the configuration file (or auxiliary data file) is checked against the PAM environment and the module returns a value to inform PAM if the module authenticated or not the user.