pamsession
TRANSCRIPT
Authentication+ conversationserviceApplication
Linux-PAM
PAM configurationfile
accountautenticationpasswordsession
abcdebdcc
Systems Integrationwith Free Software- pam + ldap-
Xavier Castao Garca
This session
We are going to talk about:
Brief introduction to PAM
Integrating PAM + LDAP
Introduction to PAM (I)
Linux-PAM is a free implementation of the DCE-RFC from Sunsoft for unify Login process.
PAM allows for programs that rely on authentication to be written independently of the underlying authentication schema.
References:
http://www.kernel.org/pub/linux/libs/pam/
Introduction to PAM (II)
Linux-PAM works with modules as plugins. Some of them:
Kerberos modules, for example, in debian libpam-krb5 (MIT kerberos).
pam-ldap
One-time password authentication modules like libpam-opie.
Admin guide:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
Introduction to PAM (III)
Linux-PAM manages four different types of tasks:
Authentication management.
Account management.
Session management.
Password management.
This tasks are performed by modules specified in the configuration file.
Introduction to PAM (IV)
Introduction to PAM (V)
PAM library is configured by:
/etc/pam.conf: General configuration for PAM.
/etc/pam.d/: Configuration files per service. For example, imap configuration, other for unspecified services.
Each module can have its own configuration file inside /etc, for example, pam_ldap.conf.
Introduction to PAM (VI)
Configuration files:
Each file is made up of a list of rules.
Each rule is typically placed on a single line.
The format is:
service type control module-path module-arguments
If the file is one of the /etc/pam.d/ directory the service isn't included (the filename is the service).
You can stack several rules to combine the services.
Introduction to PAM (VII)
Configuration files:
type can be:
account: Account management without authentication. It's a permit/restrict based on other things (available resources, time).
auth: Authentication and group membership (or other privileges) module.
password: Used for updating the auth token associated with the user.
session: For doing things before/after the user can gain accesses (mount directories).
Introduction to PAM (VIII)
Configuration files:
control: required, requisite, sufficient, optional, include, substack.
See: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html
module-path: module full name.
module-arguments:
squid auth required pam_mysql.so user=passwd_query passwd=mada \
db=eminence [query=select user_name from internet_service \
where user_name='%u' and password=PASSWORD('%p') and \
service='web_proxy']
Introduction to PAM (IX)
Configuration files:
Typical modules:
pam_deny: Denies but it doesn't log the action.
pam_warn: Warns the administrator.
pan_unix: traditional password authentication. It takes parameters like:
nullok: not permit the user access to a service if their official password is blank.
use_first_pass: forces the module to use a previous stacked modules password.
More information about modules and conf.:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-module-reference.html
PAM with LDAP (I)
pam-ldap provides a PAM module for authentication against LDAP directories.
pam-ldap offers:
Transport layer security (SSL or TLS) to encrypt transtactions between the workstation and server.
Support SASL interactive authentication.
Shares configuration information with nss_ldap.
Supports Netscape and IETF password policies.
PAM with LDAP (II)
Installing and configuring ldap, PAM and NSS:
First, we need a correctly configured LDAP.
Then, we need to install:
apt-get install libpam-ldap
That will ask for installing ldap-auth-config.
This package will ask for configuration related with our LDAP: baseDN, user, password.
We should configure /etc/syslog.conf:
local4.* /var/log/slapd.conf
PAM with LDAP (III)
Installing and configuring ldap, PAM and NSS:
We should modify this files adding theses lines before the other conf lines:
/etc/pam.d/common-auth
auth sufficient pam_ldap.so
/etc/pam.d/common-password
password sufficient pam_ldap.so
/etc/pam.d/common-account
account sufficient pam_ldap.so
Second, we could to configure /etc/ldap/ldap.conf
BASE dc=mswl,dc=com
HOST localhost
PAM with LDAP (IV)
We are going to add /etc/nsswitch.conf
passwd: compat ldap
shadow: compat ldap
group: compat ldap
Pulse para editar el formato del texto de ttulo
Pulse para editar los formatos del texto del esquema
Segundo nivel del esquema
Tercer nivel del esquema
Cuarto nivel del esquema
Quinto nivel del esquema
Sexto nivel del esquema
Sptimo nivel del esquema
Octavo nivel del esquema
Noveno nivel del esquema
Master on Free Software