Authentication+ conversationserviceApplication

Linux-PAM

PAM configurationfile

accountautenticationpasswordsession

abcdebdcc

Systems Integrationwith Free Software- pam + ldap-

Xavier Castao Garca

This session

We are going to talk about:

Brief introduction to PAM

Integrating PAM + LDAP

Introduction to PAM (I)

Linux-PAM is a free implementation of the DCE-RFC from Sunsoft for unify Login process.

PAM allows for programs that rely on authentication to be written independently of the underlying authentication schema.

References:

http://www.kernel.org/pub/linux/libs/pam/

Introduction to PAM (II)

Linux-PAM works with modules as plugins. Some of them:

Kerberos modules, for example, in debian libpam-krb5 (MIT kerberos).

pam-ldap

One-time password authentication modules like libpam-opie.

Admin guide:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html

Introduction to PAM (III)

Linux-PAM manages four different types of tasks:

Authentication management.

Account management.

Session management.

Password management.

This tasks are performed by modules specified in the configuration file.

Introduction to PAM (IV)

Introduction to PAM (V)

PAM library is configured by:

/etc/pam.conf: General configuration for PAM.

/etc/pam.d/: Configuration files per service. For example, imap configuration, other for unspecified services.

Each module can have its own configuration file inside /etc, for example, pam_ldap.conf.

Introduction to PAM (VI)

Configuration files:

Each file is made up of a list of rules.

Each rule is typically placed on a single line.

The format is:

service type control module-path module-arguments

If the file is one of the /etc/pam.d/ directory the service isn't included (the filename is the service).

You can stack several rules to combine the services.

Introduction to PAM (VII)

Configuration files:

type can be:

account: Account management without authentication. It's a permit/restrict based on other things (available resources, time).

auth: Authentication and group membership (or other privileges) module.

password: Used for updating the auth token associated with the user.

session: For doing things before/after the user can gain accesses (mount directories).

Introduction to PAM (VIII)

Configuration files:

control: required, requisite, sufficient, optional, include, substack.

See: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html

module-path: module full name.

module-arguments:

squid auth required pam_mysql.so user=passwd_query passwd=mada \

db=eminence [query=select user_name from internet_service \

where user_name='%u' and password=PASSWORD('%p') and \

service='web_proxy']

Introduction to PAM (IX)

Configuration files:

Typical modules:

pam_deny: Denies but it doesn't log the action.

pam_warn: Warns the administrator.

pan_unix: traditional password authentication. It takes parameters like:

nullok: not permit the user access to a service if their official password is blank.

use_first_pass: forces the module to use a previous stacked modules password.

More information about modules and conf.:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-module-reference.html

PAM with LDAP (I)

pam-ldap provides a PAM module for authentication against LDAP directories.

pam-ldap offers:

Transport layer security (SSL or TLS) to encrypt transtactions between the workstation and server.

Support SASL interactive authentication.

Shares configuration information with nss_ldap.

Supports Netscape and IETF password policies.

PAM with LDAP (II)

Installing and configuring ldap, PAM and NSS:

First, we need a correctly configured LDAP.

Then, we need to install:

apt-get install libpam-ldap

That will ask for installing ldap-auth-config.

This package will ask for configuration related with our LDAP: baseDN, user, password.

We should configure /etc/syslog.conf:

local4.* /var/log/slapd.conf

PAM with LDAP (III)

Installing and configuring ldap, PAM and NSS:

We should modify this files adding theses lines before the other conf lines:

/etc/pam.d/common-auth

auth sufficient pam_ldap.so

/etc/pam.d/common-password

password sufficient pam_ldap.so

/etc/pam.d/common-account

account sufficient pam_ldap.so

Second, we could to configure /etc/ldap/ldap.conf

BASE dc=mswl,dc=com

HOST localhost

PAM with LDAP (IV)

We are going to add /etc/nsswitch.conf

passwd: compat ldap

shadow: compat ldap

group: compat ldap

Pulse para editar el formato del texto de ttulo

Pulse para editar los formatos del texto del esquema

Segundo nivel del esquema

Tercer nivel del esquema

Cuarto nivel del esquema

Quinto nivel del esquema

Sexto nivel del esquema

Sptimo nivel del esquema

Octavo nivel del esquema

Noveno nivel del esquema

Master on Free Software