Search
The Caboteria
/
Tech Web
/
UnixTips
/
PluggableAuthenticationModules
(revision 3) (raw view)
*Pluggable Authentication Modules* is the mechanism that Linux uses to decide whether you can log in or not. Here's a crude picture: <pre> login -------\ /---- RDBMS \ / apache ---------\ =========== /------ LDAP \ = = / ssh ---------------= PAM =----------- passwd files / = = \ passwd ---------/ =========== \------ RADIUS / | \ etc... -------/ | \---- etc... ----- | | | | PAM config files (/etc/pam.d/*, /etc/pam_ldap.conf, etc) |- _| </pre> In a nutshell, any program that wants to see if you can log in can call the PAM library which will then look at the config files to see which modules to call to do the processing. You can even "stack" the modules, i.e. require that more than one of them succeed. In one rather extreme case I used the Apache PAM authentication module to call the PAM LDAP module so that Apache could decide whether to allow each person to view a page. The config file /etc/pam.d/httpd looked like this: <pre> auth sufficient pam_ldap.so #auth required pam_unix.so #account required pam_unix.so account required pam_ldap.so </pre> One mistake I made was having no =account= directive the first time I tried it. It's important to have the =auth= and =account= directives use the same module. Note that libapache-mod-auth-pam is greedy in that once it's loaded it wants to do all of the authentication. It took me a while to figure this out - if you don't want to use it you need to shut it off explicitly on a per-directory basis. I found that most of the PAM modules were pretty half-baked so debugging is hard if you don't have the source. OTOH we're only talking about a few hundred lines of code so it's not too hard to find your way around. *LDAP* The PAM LDAP module is configured by =/etc/pam_ldap.conf=. The sequence of events at login is to connect as manager and then search for an entry which contains a "uid" element whose value is the login name given. It then tries to bind to that entry using the password given. I didn't find the "uid" element in standard schemas so if you can't login it's a good idea to check whether the uid element is populated correctly. *references* The PAM home page appears to be: http://www.kernel.org/pub/linux/libs/pam/ The PAM/LDAP home page appears to be: http://www.padl.com/pam_ldap.html Info for setting up LDAP on Debian: http://people.debian.org/~torsten/ldapnss.html, http://homex.subnet.at/~max/ldap/
Edit
|
Attach
|
P
rint version
|
H
istory
:
r4
<
r3
<
r2
<
r1
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding The Caboteria?
Send feedback