PAM Configuration
PAM (Pluggable Authentication Modules) is a very flexible authentication system. As the name implies, it allows modules to be plugged in to provide specific functionality. Each module looks after some part of the authentication process with the combination of the results of each module determining whether access is granted.
For example, there is a module that provides LDAP functionality and another that provides Unix / Shadow functionality and so on. In order to provide the password checks and updates required by a given institution it is necessary to adjust the PAM configuration to match the institution's policy. If an institution uses Active Directory to manage users, then the PAM LDAP module must be enabled; if an institution uses dongles, then the required PAM module (e.g. pam_usbng) needs to be enabled.
It is beyond the scope of this document to explain how to configure PAM (there are plenty of good sources available on the internet). Rather we will look at configurations required to support the functionality required for password management on:
- Solaris 10
- Linux
- FreeBSD
In order to provide general support for the password database used by your institution (LDAP, AD, Shadow, etc.) within EMu you need to not only configure PAM, but also NSS (Name Service Switch). The combination of PAM and NSS on Unix systems provide the integration required to communicate with the various user / password databases. An explanation of NSS is beyond the scope of this document, however sample NSS configurations will be provided. The NSS configuration file is located at /etc/nsswitch.conf.
The PAM configurations outlined in this section apply to the setup required by EMu only. The configurations do not provide general purpose account access to the server via PAM, rather they allow EMu to be configured to use the required user / password database. The configurations show the settings required within the listed file, not the complete contents of the file. Thus if you are configuring the PAM and NSS settings you will need to amend the contents of the existing file, rather than replace them.
Solaris 10
The PAM configuration file used by Solaris 10 is located at /etc/pam.conf. The file contains the configuration for all PAM services, rather than one service per file (as is used by Linux and FreeBSD).
Shadow
The PAM and NSS configuration file segments required to provide Shadow database support are:
/etc/pam.conf
#
# EMu Texpress service
#
texpress auth sufficient pam_rhosts_auth.so.1
texpress auth requisite pam_authtok_get.so.1
texpress auth required pam_dhkeys.so.1
texpress auth required pam_unix_cred.so.1
texpress auth required pam_unix_auth.so.1
/etc/nsswitch.conf
passwd: files
NIS & Shadow
The PAM and NSS configuration file segments required to provide NIS and Shadow database support are:
/etc/pam.conf
#
# EMu Texpress service
#
texpress auth sufficient pam_rhosts_auth.so.1
texpress auth requisite pam_authtok_get.so.1
texpress auth required pam_dhkeys.so.1
texpress auth required pam_unix_cred.so.1
texpress auth required pam_unix_auth.so.1
/etc/nsswitch.conf
passwd: files nis
LDAP / AD & Shadow
The PAM and NSS configuration file segments required to provide LDAP or AD and Shadow database support are:
/etc/pam.conf
#
# EMu Texpress service
#
texpress auth sufficient pam_rhosts_auth.so.1
texpress auth requisite pam_authtok_get.so.1
texpress auth required pam_dhkeys.so.1
texpress auth required pam_unix_cred.so.1
texpress auth binding pam_unix_auth.so.1 server_policy
texpress auth required pam_ldap.so.1
#
# Default Account service
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Password checking (used by Admin Task only)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# Default Password service
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
/etc/nsswitch.conf
passwd: files ldap
If you select LDAP support, you will need to configure how to bind to the LDAP server. Use the ldapclient command to specify these settings.
Linux
The PAM configuration file used by Linux is located at /etc/pam.d/texpress. The file contains the configuration for EMu services only.
Shadow
The PAM file and NSS file segments required to provide Shadow database support are:
/etc/pam.d/texpress
#
# EMu Texpress service
#
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
account required pam_unix.so
password requisite pam_cracklib.so try_first_pass
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok
/etc/nsswitch.conf
passwd: files
shadow: files
NIS & Shadow
The PAM file and NSS file segments required to provide NIS and Shadow database support are:
/etc/pam.d/texpress
#
# EMu Texpress service
#
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
account required pam_unix.so
password requisite pam_cracklib.so try_first_pass
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok
/etc/nsswitch.conf
passwd: files nis
shadow: files nis
LDAP / AD & Shadow
The PAM file and NSS file segments required to provide LDAP or AD and Shadow database support are:
/etc/pam.conf
#
# EMu Texpress service
#
auth required pam_env.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok try_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
password requisite pam_cracklib.so try_first_pass
password sufficient pam_ldap.so
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
If you select LDAP support, you will need to configure how to bind to the LDAP server. The LDAP configuration file is located at /etc/ldap.conf. See the manual entry for ldap.conf for details on how to bind to an LDAP/AD server.
FreeBSD
The PAM configuration file used by FreeBSD is located at /etc/pam.d/texpress. The file contains the configuration for EMu services only.
Unix
The PAM file and NSS file segments required to provide Unix database support are:
/etc/pam.d/texpress
#
# EMu Texpress service
#
auth required pam_unix.so try_first_pass
account required pam_login_access.so
account required pam_unix.so
password requisite pam_passwdqc.so enforce=users
password required pam_unix.so try_first_pass
/etc/nsswitch.conf
passwd: files
passwd_compat: nis
NIS & Unix
The PAM file and NSS file segments required to provide NIS and Unix database support are:
/etc/pam.d/texpress
#
# EMu Texpress service
#
auth required pam_unix.so try_first_pass
account required pam_login_access.so
account required pam_unix.so
password requisite pam_passwdqc.so enforce=users
password required pam_unix.so try_first_pass
/etc/nsswitch.conf
passwd: files nis
passwd_compat: nis
LDAP / AD & Unix
The PAM file and NSS file segments required to provide LDAP or AD and Unix database support are:
/etc/pam.conf
#
# EMu Texpress service
#
auth sufficient /usr/local/lib/pam_ldap.so try_first_pass
auth required pam_unix.so try_first_pass
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
password requisite pam_passwdqc.so enforce=users
password sufficient /usr/local/lib/pam_ldap.so use_authtok
password required pam_unix.so try_first_pass
/etc/nsswitch.conf
passwd: files ldap
If you select LDAP support, you will need to configure how to bind to the LDAP server. The PAM LDAP configuration file is located at:
/usr/local/etc/ldap.conf
A copy of the configuration file should be linked to:
/usr/local/etc/nss_ldap.conf
to provide the required NSS LDAP configuration.
