Index: openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.adp,v diff -u -N --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ openacs-4/packages/acs-authentication/www/doc/ext-auth-pam-install.adp 29 Oct 2017 11:33:10 -0000 1.2 @@ -0,0 +1,140 @@ + +{/doc/acs-authentication {Authentication}} {Using Pluggable Authentication Modules (PAM) with +OpenACS} +Using Pluggable Authentication Modules (PAM) with +OpenACS + + +
+

+Using +Pluggable Authentication Modules (PAM) with OpenACS

OpenACS supports PAM authetication via the ns_pam module in +AOLserver.

    +
  1. +

    +Add PAM support to AOLserver. OpenACS +supports PAM support via the PAM AOLserver module. PAM is system of +modular support, and can provide local (unix password), RADIUS, +LDAP (more information), and other forms of +authentication. Note that due to security issues, the AOLserver PAM +module cannot be used for local password authentication.

      +
    1. +

      +Compile +and install ns_pam. Download the tarball to /tmp.

      Debian users: first do apt-get +install libpam-dev +

      +[root\@yourserver root]# cd /usr/local/src/aolserver
+[root\@yourserver aolserver]# tar xzf /tmp/ns_pam-0.1.tar.gz
+[root\@yourserver aolserver]# cd nspam
+[root\@yourserver nspam]# make
+gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1 
+  -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1 
+  -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1   -c -o nspam.o nspam.c
+nspam.c: In function `PamCmd':
+nspam.c:107: warning: implicit declaration of function `Tcl_SetObjResult'
+nspam.c:107: warning: implicit declaration of function `Tcl_NewIntObj'
+gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1 
+  -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1 
+  -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1   -c -o pam_support.o pam_support.c
+/bin/rm -f nspam.so
+gcc -shared -nostartfiles -o nspam.so nspam.o pam_support.o -lpam
+[root\@yourserver nspam]# make install
+[root\@yourserver nspam]#
+cd /usr/local/src/aolserver
+tar xzf /tmp/ns_pam-0.1.tar.gz
+cd nspam
+make
+make install
+
      +
    2. +

      +Set up a PAM domain. A PAM domain is a set +of rules for granting privileges based on other programs. Each +instance of AOLserver uses a domain; different aolserver instances +can use the same domain but one AOLserver instance cannot use two +domains. The domain describes which intermediate programs will be +used to check permissions. You may need to install software to +perform new types of authentication.

        +
      • +

        RADIUS in PAM. 

          +
        1. +

          Untar the pam_radius tarball and compile and install. (more +information)

          +[root\@yourserver root]# cd /usr/local/src/
+[root\@yourserver src]# tar xf /tmp/pam_radius-1.3.16.tar
+[root\@yourserver src]# cd pam_radius-1.3.16
+[root\@yourserver pam_radius-1.3.16]# make
+cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
+cc -Wall -fPIC   -c -o md5.o md5.c
+ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+[root\@yourserver pam_radius-1.3.16]# cp pam_radius_auth.so /lib/security/pam_radius_auth.so
+[root\@yourserver pam_radius-1.3.16]#
+cd /usr/local/src/
+tar xf /tmp/pam_radius-1.3.16.tar
+cd pam_radius-1.3.16
+make
+cp pam_radius_auth.so /lib/security/pam_radius_auth.so
+

          Debian users: apt-get install +libpam-radius-auth +

          +
        2. +

          Set up the PAM domain. Recent PAM distributions have a different +file for each domain, all in /etc/pam.d. Previous PAM setups put all +domain configuration lines into a single file, /etc/pam.conf. On Red Hat, create the file +/etc/pam.d/service0 + with these +contents:

          +auth       sufficient   /lib/security/pam_radius_auth.so
+
          +
        3. +

          Modify the AOLserver configuration file to use this PAM domain. +Edit the line

          +ns_param   PamDomain             "service0"
+

          So that the value of the parameter matches the name (just the +file name, not the fully pathed name) of the domain file in

          +/etc/pam.d/
+
          +
          4. +
        +

      • +LDAP in PAM. more information +

        • +
      +
    3. +

      Modify the AOLserver configuration file to support +ns_pam. 

      In /var/lib/aolserver/service0/etc/config.tcl, enable +the nspam module by uncommenting this line:

      +ns_param   nspam           ${bindir}/nspam.so
+
      +
      4. +
    +

  2. +Install auth-pam OpenACS service +package. Installauth-pam and +restart the server.

  3. +

    +Create an OpenACS +authority. OpenACS supports multiple authentication +authorities. The OpenACS server itself is the "Local +Authority," used by default.

      +

    1. Browse to the authentication administration page, http://yourserver/acs-admin/auth/ +. Create and name an +authority (in the sitewide admin UI)

    2. Set Authentication to PAM.

    3. If the PAM domain defines a password command, you can set Password +Management to PAM. If not, the PAM module cannot change the +user's password and you should leave this option Disabled.

    4. Leave Account Registration disabed.

    5. Configure Batch +Synchronization

      6. +
    +
    4. +
+
+ + \ No newline at end of file