Installation
by Joel AufrechtInstalling PAM supportOpenACS supports PAM authetication via the ns_pam module in AOLserver.Add PAM support to AOLserverOpenACS supports PAM support via the PAM AOLserver
module. PAM is system of modular support, and can provide
local (unix password), RADIUS, LDAP (more
information), and other forms of
authentication. Note that due to security issues, the
AOLserver PAM module cannot be used for local password
authentication. Compile and install ns_pamDownload the tarball to
/tmp.Debian users: first do apt-get install libpam-dev[root@yourserver root]# cd /usr/local/src/aolserver
[root@yourserver aolserver]# tar xzf /tmp/ns_pam-0.1.tar.gz
[root@yourserver aolserver]# cd nspam
[root@yourserver nspam]# make
gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1
-DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1
-DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o nspam.o nspam.c
nspam.c: In function `PamCmd':
nspam.c:107: warning: implicit declaration of function `Tcl_SetObjResult'
nspam.c:107: warning: implicit declaration of function `Tcl_NewIntObj'
gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1
-DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1
-DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o pam_support.o pam_support.c
/bin/rm -f nspam.so
gcc -shared -nostartfiles -o nspam.so nspam.o pam_support.o -lpam
[root@yourserver nspam]# make install
[root@yourserver nspam]#
cd /usr/local/src/aolserver
tar xzf /tmp/ns_pam-0.1.tar.gz
cd nspam
make
make installSet up a PAM domainA PAM domain is a set of rules for granting
privileges based on other programs. Each instance of
AOLserver uses a domain; different aolserver instances
can use the same domain but one AOLserver instance
cannot use two domains. The domain describes
which intermediate programs will be used to check
permissions. You may need to install software to
perform new types of authentication.
RADIUS in PAMUntar the pam_radius
tarball and compile and install. (more
information)[root@yourserver root]# cd /usr/local/src/
[root@yourserver src]# tar xf /tmp/pam_radius-1.3.16.tar
[root@yourserver src]# cd pam_radius-1.3.16
[root@yourserver pam_radius-1.3.16]# make
cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
cc -Wall -fPIC -c -o md5.o md5.c
ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
[root@yourserver pam_radius-1.3.16]# cp pam_radius_auth.so /lib/security/pam_radius_auth.so
[root@yourserver pam_radius-1.3.16]#
cd /usr/local/src/
tar xf /tmp/pam_radius-1.3.16.tar
cd pam_radius-1.3.16
make
cp pam_radius_auth.so /lib/security/pam_radius_auth.soDebian users: apt-get install libpam-radius-authSet up the PAM domain. Recent PAM
distributions have a different file for each domain,
all in /etc/pam.d.
Previous PAM setups put all domain configuration lines
into a single file,
/etc/pam.conf. On
Red Hat, create the file
/etc/pam.d/service0
with these contents:auth sufficient /lib/security/pam_radius_auth.so
Modify the AOLserver configuration file to use
this PAM domain. Edit the linens_param PamDomain "service0"So that the value of the parameter matches the name (just the file name, not the fully pathed name) of the domain file in /etc/pam.d/LDAP in PAMmore informationModify the AOLserver configuration file to support ns_pam.In
/var/lib/aolserver/service0/etc/config.tcl, enable the nspam module by uncommenting this line:ns_param nspam ${bindir}/nspam.soInstall auth-pam OpenACS service packageInstallauth-pam and restart the server.Create an OpenACS authorityOpenACS supports multiple authentication authorities.
The OpenACS server itself is the "Local Authority," used by
default.Browse to the authentication administration page,
http://yourserver/acs-admin/auth/.
Create and name an authority (in the sitewide admin UI)Set Authentication to PAM.If the PAM domain defines a password command, you can set Password Management to PAM. If not, the PAM module cannot change the user's password and you should leave this option Disabled.Leave Account Registration disabed.Configure Batch Synchronization
Installing LDAP support...Installing AOLserver LDAP supportForthcoming. (more information)Install auth-ldap OpenACS service packageInstallauth-ldap and restart the server.Configure Batch SynchronizationBrowse to the authentication administration page,
http://yourserver/acs-admin/auth/
and choose an authority for batch sync.Set Batch sync enabled to Yes. Set GetDocument
Implementation to HTTP GET. Set ProcessDocument Implementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.Click OK.On the next page, click Configure on the GetDocument Implementation line.Enter either or both the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.Configure your Authority (RADIUS server, etc) to
supply XML files to the URLs IncrementalURL and
SnapshotURL. A typical set of incremental file record
looks like:example missingA snapshot file is similar but doesn't have recstatus,
since it's not a delta but a list of valid records. See the larger example in the design document for more details.
(More information: , The IMS 1.1 spec)($Id: install.xml,v 1.4 2004/02/09 15:50:11 joela Exp $)