Difference: PluggableAuthenticationModules (1 vs. 4)

Revision 417 Feb 2004 - TWikiGuest

Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="UnixTips"
>
>
META TOPICPARENT name="UnixNotes"
 Pluggable Authentication Modules is the mechanism that Linux uses to decide whether you can log in or not. Here's a crude picture:


Revision 317 Feb 2004 - TobyCabot

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="UnixTips"
 Pluggable Authentication Modules is the mechanism that Linux uses to decide whether you can log in or not. Here's a crude picture:


Line: 46 to 48
  The PAM/LDAP home page appears to be: http://www.padl.com/pam_ldap.html
Changed:
<
<
-- TobyCabot - 22 Jan 2001
>
>
Info for setting up LDAP on Debian: http://people.debian.org/~torsten/ldapnss.html, http://homex.subnet.at/~max/ldap/

Revision 225 May 2001 - TobyCabot

Line: 12 to 12
 etc... -------/ | \---- etc... -----
 
Changed:
<
<
| | PAM config files (/etc/pam.d/*)
>
>
| | PAM config files (/etc/pam.d/*, /etc/pam_ldap.conf, etc)
 
- _
Line: 36 to 36
  I found that most of the PAM modules were pretty half-baked so debugging is hard if you don't have the source. OTOH we're only talking about a few hundred lines of code so it's not too hard to find your way around.
Added:
>
>
LDAP

The PAM LDAP module is configured by /etc/pam_ldap.conf. The sequence of events at login is to connect as manager and then search for an entry which contains a "uid" element whose value is the login name given. It then tries to bind to that entry using the password given. I didn't find the "uid" element in standard schemas so if you can't login it's a good idea to check whether the uid element is populated correctly.

 references

The PAM home page appears to be: http://www.kernel.org/pub/linux/libs/pam/

Revision 122 Jan 2001 - TobyCabot

Line: 1 to 1
Added:
>
>
Pluggable Authentication Modules is the mechanism that Linux uses to decide whether you can log in or not. Here's a crude picture:

 login -------\								/---- RDBMS
					\							 /
apache ---------\	  ===========	 /------ LDAP
					  \	 =			=	/
	ssh ---------------=	PAM	=----------- passwd files
					  /	 =			=	\
passwd ---------/	  ===========	 \------ RADIUS
					/			  |			 \
etc... -------/				|			  \---- etc...
								 -----
								 |	|
								 |	| PAM config files (/etc/pam.d/*)
								 |- _|

In a nutshell, any program that wants to see if you can log in can call the PAM library which will then look at the config files to see which modules to call to do the processing. You can even "stack" the modules, i.e. require that more than one of them succeed.

In one rather extreme case I used the Apache PAM authentication module to call the PAM LDAP module so that Apache could decide whether to allow each person to view a page.

The config file /etc/pam.d/httpd looked like this:

auth	 sufficient		pam_ldap.so
#auth		 required	  pam_unix.so

#account	 required	  pam_unix.so
account	 required	  pam_ldap.so

One mistake I made was having no account directive the first time I tried it. It's important to have the auth and account directives use the same module.

Note that libapache-mod-auth-pam is greedy in that once it's loaded it wants to do all of the authentication. It took me a while to figure this out - if you don't want to use it you need to shut it off explicitly on a per-directory basis.

I found that most of the PAM modules were pretty half-baked so debugging is hard if you don't have the source. OTOH we're only talking about a few hundred lines of code so it's not too hard to find your way around.

references

The PAM home page appears to be: http://www.kernel.org/pub/linux/libs/pam/

The PAM/LDAP home page appears to be: http://www.padl.com/pam_ldap.html

-- TobyCabot - 22 Jan 2001

View topic | History: r4 < r3 < r2 < r1 | More topic actions...
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding The Caboteria? Send feedback