The Caboteria / Tech Web / TechNotes > UnixNotes / PluggableAuthenticationModules (17 Feb 2004, TWikiGuest)
Pluggable Authentication Modules is the mechanism that Linux uses to decide whether you can log in or not. Here's a crude picture:

 login -------\                        /---- RDBMS
               \                      /
apache ---------\     ===========    /------ LDAP
                 \    =         =   /
   ssh ---------------=   PAM   =----------- passwd files
                 /    =         =   \ 
passwd ---------/     ===========    \------ RADIUS
               /           |          \ 
etc... -------/            |           \---- etc...
                         -----
                         |   |
                         |   | PAM config files (/etc/pam.d/*, /etc/pam_ldap.conf, etc)
                         |- _|

In a nutshell, any program that wants to see if you can log in can call the PAM library which will then look at the config files to see which modules to call to do the processing. You can even "stack" the modules, i.e. require that more than one of them succeed.

In one rather extreme case I used the Apache PAM authentication module to call the PAM LDAP module so that Apache could decide whether to allow each person to view a page.

The config file /etc/pam.d/httpd looked like this:

auth    sufficient      pam_ldap.so
#auth       required     pam_unix.so

#account    required     pam_unix.so
account    required     pam_ldap.so

One mistake I made was having no account directive the first time I tried it. It's important to have the auth and account directives use the same module.

Note that libapache-mod-auth-pam is greedy in that once it's loaded it wants to do all of the authentication. It took me a while to figure this out - if you don't want to use it you need to shut it off explicitly on a per-directory basis.

I found that most of the PAM modules were pretty half-baked so debugging is hard if you don't have the source. OTOH we're only talking about a few hundred lines of code so it's not too hard to find your way around.

LDAP

The PAM LDAP module is configured by /etc/pam_ldap.conf. The sequence of events at login is to connect as manager and then search for an entry which contains a "uid" element whose value is the login name given. It then tries to bind to that entry using the password given. I didn't find the "uid" element in standard schemas so if you can't login it's a good idea to check whether the uid element is populated correctly.

references

The PAM home page appears to be: http://www.kernel.org/pub/linux/libs/pam/

The PAM/LDAP home page appears to be: http://www.padl.com/pam_ldap.html

Info for setting up LDAP on Debian: http://people.debian.org/~torsten/ldapnss.html, http://homex.subnet.at/~max/ldap/

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Copyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding The Caboteria? Send feedback