Question:What is the valid syntax for the configuration parameter pam.allow.groups. If an AD group contains a space in it, specifying the AD group for pam.allow.groups may not work.
Answer:This configuration parameter specifies the groups allowed to access PAM-enabled applications. When this parameter is defined, only the listed groups are allowed access. All other groups are denied access. For example, if the domain is
arcade.com and the group is HelpDesk:
pam.allow.groups:
arcade.com/Users/HelpDeskBut on the other hand if you have spaces in the group name or OU name; For example, if the domain is
arcade.com and group is 'Help Desk'
Either specifying
pam.allow.groups: "
arcade.com/Users/Help Desk"
OR
pam.allow.groups: "
arcade.com/Users/Help\ Desk"
Note:
This KB holds good even for pam.deny.groups