#178 External group membership support
I'd like to have the ability to have group membership based on an external repository. For a use case, I'm running Webmin under Apache and authenticating against an external directory (LDAP or similar). I think the most extensible way to add this functionality to Webmin would be to provide support for a user-defined script which takes a username as input and returns an already defined webmin group (or, ideally, a list of groups, one per line - does webmin support users in multiple groups?) that user should be in. The priority (ie, check local first, then script - or script first, then local) should be configurable.
This could potentially be expanded to a complete external authentication and/or authorization script. A username and password are passed in on STDIN, one per line. Successful authentication could be followed by a group membership on stdout, or a failure returns non-zero and optionally prints a failure message on stdout. The script could be optionally configured as either controlling authentication, authorization, or both.
Rather than making this an external script, it could potentially be implemented through a few standard hooks in other modules, much the way the other modules can subscribe to user updates or optionally provide logging support, but hopefully less complicated than the PAM API. :) Just a few functions in a file with a standard name, along the lines of authenticate_user and fetch_user_groups. Maybe also user management stuff, so del user, create user, add to group, and that stuff that the acl module already does. This modularization may make supporting other databases easier. A third-party module could then, by exposing the right interface, return 0 for denied/no group / whatever, 1 (or a group name, or an arrayref or group names) for success, and -1 for "ignore". The webmin configuration would then have a PAM stack-like control which allows the admin to control the authentication modules available, and to set their priority, with the first non-ignore response being used. The available auth modules could be selected on a per-user basis the way the drop-down already works.
I think I like the module approach best. That lets a third party bundle a module as normal, and the module would provide an interface to configure how its authentication works. Or perhaps "auth modules" are special, providing just the authentication API, config support, and log parser support without having a required index.cgi or icons.
