OpenACS supports PAM authetication via the ns_pam module in +AOLserver.
+Add PAM support to AOLserver. OpenACS +supports PAM support via the PAM AOLserver module. PAM is system of +modular support, and can provide local (unix password), RADIUS, +LDAP (more information), and other forms of +authentication. Note that due to security issues, the AOLserver PAM +module cannot be used for local password authentication.
+Compile
+and install ns_pam. Download the tarball to /tmp
.
Debian users: first do apt-get
+install libpam-dev
+
+[root\@yourserver root]#+cd /usr/local/src/aolserver
+[root\@yourserver aolserver]#tar xzf /tmp/ns_pam-0.1.tar.gz
+[root\@yourserver aolserver]#cd nspam
+[root\@yourserver nspam]#make
+gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1 + -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1 + -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o nspam.o nspam.c +nspam.c: In function `PamCmd': +nspam.c:107: warning: implicit declaration of function `Tcl_SetObjResult' +nspam.c:107: warning: implicit declaration of function `Tcl_NewIntObj' +gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1 + -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1 + -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o pam_support.o pam_support.c +/bin/rm -f nspam.so +gcc -shared -nostartfiles -o nspam.so nspam.o pam_support.o -lpam +[root\@yourserver nspam]#make install
+[root\@yourserver nspam]# +cd /usr/local/src/aolserver +tar xzf /tmp/ns_pam-0.1.tar.gz +cd nspam +make +make install +
+Set up a PAM domain. A PAM domain is a set +of rules for granting privileges based on other programs. Each +instance of AOLserver uses a domain; different aolserver instances +can use the same domain but one AOLserver instance cannot use two +domains. The domain describes which intermediate programs will be +used to check permissions. You may need to install software to +perform new types of authentication.
RADIUS in PAM.
Untar the pam_radius tarball and compile and install. (more +information)
+[root\@yourserver root]#cd /usr/local/src/
+[root\@yourserver src]#tar xf /tmp/pam_radius-1.3.16.tar
+[root\@yourserver src]#cd pam_radius-1.3.16
+[root\@yourserver pam_radius-1.3.16]#make
+cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o +cc -Wall -fPIC -c -o md5.o md5.c +ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so +[root\@yourserver pam_radius-1.3.16]#cp pam_radius_auth.so /lib/security/pam_radius_auth.so
+[root\@yourserver pam_radius-1.3.16]# +cd /usr/local/src/ +tar xf /tmp/pam_radius-1.3.16.tar +cd pam_radius-1.3.16 +make +cp pam_radius_auth.so /lib/security/pam_radius_auth.so +
Debian users: apt-get install
+libpam-radius-auth
+
Set up the PAM domain. Recent PAM distributions have a different
+file for each domain, all in /etc/pam.d
. Previous PAM setups put all
+domain configuration lines into a single file, /etc/pam.conf
. On Red Hat, create the file
+/etc/pam.d/service0
+
with these
+contents:
+auth sufficient /lib/security/pam_radius_auth.so ++
Modify the AOLserver configuration file to use this PAM domain. +Edit the line
+ns_param PamDomain "service0"
+
So that the value of the parameter matches the name (just the +file name, not the fully pathed name) of the domain file in
+/etc/pam.d/ ++
+LDAP in PAM. more information +
Modify the AOLserver configuration file to support +ns_pam.
In /var/lib/aolserver/service0/etc/config.tcl
, enable
+the nspam module by uncommenting this line:
+ns_param nspam ${bindir}/nspam.so ++
+Install auth-pam OpenACS service
+package. Installauth-pam
and
+restart the server.
+Create an OpenACS +authority. OpenACS supports multiple authentication +authorities. The OpenACS server itself is the "Local +Authority," used by default.
Browse to the authentication administration page, http://yourserver/acs-admin/auth/
+
. Create and name an
+authority (in the sitewide admin UI)
Set Authentication to PAM.
If the PAM domain defines a password
command, you can set Password
+Management to PAM. If not, the PAM module cannot change the
+user's password and you should leave this option Disabled.
Leave Account Registration disabed.