OpenACS supports PAM authentication via the ns_pam module in AOLserver.
Add PAM support to AOLserver. OpenACS supports PAM support via the PAM AOLserver module. PAM is system of modular support, and can provide local (unix password), RADIUS, LDAP (more information), and other forms of authentication. Note that due to security issues, the AOLserver PAM module cannot be used for local password authentication.
Compile
and install ns_pam. Download the tarball to /tmp.
Debian users: first do apt-get
install libpam-dev
[root\@yourserver root]#cd /usr/local/src/aolserver[root\@yourserver aolserver]#tar xzf /tmp/ns_pam-0.1.tar.gz[root\@yourserver aolserver]#cd nspam[root\@yourserver nspam]#makegcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1 -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1 -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o nspam.o nspam.c nspam.c: In function `PamCmd': nspam.c:107: warning: implicit declaration of function `Tcl_SetObjResult' nspam.c:107: warning: implicit declaration of function `Tcl_NewIntObj' gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1 -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1 -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o pam_support.o pam_support.c /bin/rm -f nspam.so gcc -shared -nostartfiles -o nspam.so nspam.o pam_support.o -lpam [root\@yourserver nspam]#make install[root\@yourserver nspam]# cd /usr/local/src/aolserver tar xzf /tmp/ns_pam-0.1.tar.gz cd nspam make make install
Set up a PAM domain. A PAM domain is a set of rules for granting privileges based on other programs. Each instance of AOLserver uses a domain; different aolserver instances can use the same domain but one AOLserver instance cannot use two domains. The domain describes which intermediate programs will be used to check permissions. You may need to install software to perform new types of authentication.
RADIUS in PAM.
Untar the pam_radius tarball and compile and install. (more information)
[root\@yourserver root]#cd /usr/local/src/[root\@yourserver src]#tar xf /tmp/pam_radius-1.3.16.tar[root\@yourserver src]#cd pam_radius-1.3.16[root\@yourserver pam_radius-1.3.16]#makecc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o cc -Wall -fPIC -c -o md5.o md5.c ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so [root\@yourserver pam_radius-1.3.16]#cp pam_radius_auth.so /lib/security/pam_radius_auth.so[root\@yourserver pam_radius-1.3.16]# cd /usr/local/src/ tar xf /tmp/pam_radius-1.3.16.tar cd pam_radius-1.3.16 make cp pam_radius_auth.so /lib/security/pam_radius_auth.so
Debian users: apt-get install
libpam-radius-auth
Set up the PAM domain. Recent PAM distributions have a different
file for each domain, all in /etc/pam.d. Previous PAM setups put all
domain configuration lines into a single file, /etc/pam.conf. On Red Hat, create the file
/etc/pam.d/service0
with these
contents:
auth sufficient /lib/security/pam_radius_auth.so
Modify the AOLserver configuration file to use this PAM domain. Edit the line
ns_param PamDomain "service0"
So that the value of the parameter matches the name (just the filename, not the fully pathed name) of the domain file in
/etc/pam.d/
LDAP in PAM. more information
Modify the AOLserver configuration file to support ns_pam.
In /var/lib/aolserver/service0/etc/config.tcl, enable
the nspam module by uncommenting this line:
ns_param nspam ${bindir}/nspam.so
Install auth-pam OpenACS service
package. Installauth-pam and
restart the server.
Create an OpenACS authority. OpenACS supports multiple authentication authorities. The OpenACS server itself is the "Local Authority," used by default.
Browse to the authentication administration page, http://yourserver/acs-admin/auth/
. Create and name an
authority (in the sitewide admin UI)
Set Authentication to PAM.
If the PAM domain defines a password command, you can set Password
Management to PAM. If not, the PAM module cannot change the
user's password and you should leave this option Disabled.
Leave Account Registration disabed.