diff --git a/changelog.html b/changelog.html
index 7be10a197300aee0681581097cc0a317e6eac1b8..206b3656531fde5679f04fa1f4fc69096ed32987 100644
--- a/changelog.html
+++ b/changelog.html
@@ -63,6 +63,9 @@ Upcoming changes
End up more gracefully if there's some problem when searching for user partipication in the build
(issue 13564)
+
+ PAM authentication supports '@group' to force interpretation as a group instead of user.
+ (issue 13526)
Added a DISCOVER permission to allow anonymous users to be presented the login screen
when accessing job URLs.
diff --git a/core/src/main/java/hudson/security/PAMSecurityRealm.java b/core/src/main/java/hudson/security/PAMSecurityRealm.java
index f4b42c58ba226fa464a6b9c54e8153beb94587d8..73b68c53bfd17b3c509657587c38864bce1bc4ea 100644
--- a/core/src/main/java/hudson/security/PAMSecurityRealm.java
+++ b/core/src/main/java/hudson/security/PAMSecurityRealm.java
@@ -104,12 +104,18 @@ public class PAMSecurityRealm extends AbstractPasswordBasedSecurityRealm {
@Override
public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
- if(CLibrary.libc.getgrnam(groupname)==null)
- throw new UsernameNotFoundException(groupname);
+ final String group;
+ if(groupname.startsWith("@")) {
+ group = groupname.substring(1);
+ } else {
+ group = groupname;
+ }
+ if(CLibrary.libc.getgrnam(group)==null)
+ throw new UsernameNotFoundException(group);
return new GroupDetails() {
@Override
public String getName() {
- return groupname;
+ return group;
}
};
}
diff --git a/core/src/main/resources/hudson/security/PAMSecurityRealm/help.html b/core/src/main/resources/hudson/security/PAMSecurityRealm/help.html
index 48ee1525163016f45275ab304ca1f3dc4922f1f0..85b8d30e0eddac310a75609d67fa28d0fc51ac61 100644
--- a/core/src/main/resources/hudson/security/PAMSecurityRealm/help.html
+++ b/core/src/main/resources/hudson/security/PAMSecurityRealm/help.html
@@ -5,7 +5,13 @@
This mode will also allow you to use Unix groups for authorization. For example,
- you can say "everyone in the 'developers' group will have the administrator access".
+ you can say "everyone in the 'developers' group will have the administrator access".
+
+
+ Unix allows an user and a group to have the same name. If you need to disambiguate,
+ you can use the '@' prefix to force the name to be interpreted as a group. For example,
+ '@dev' would mean the 'dev' group and not the 'dev' user, while 'dev' would be interpreted
+ as an user if you indeed have the user of that name.
This is done through a library called PAM,