-Add PAM support to -AOLserver. OpenACS supports PAM support via -the PAM AOLserver module. PAM is system of modular support, and can -provide local (unix password), RADIUS, LDAP (more information), and other forms of +Add PAM support to AOLserver. OpenACS +supports PAM support via the PAM AOLserver module. PAM is system of +modular support, and can provide local (unix password), RADIUS, +LDAP (more information), and other forms of authentication. Note that due to security issues, the AOLserver PAM module cannot be used for local password authentication.
Compile
and install ns_pam. Download the tarball to /tmp
.
Debian users: first do apt-get
install libpam-dev
-
-[root\@yourserver root]#cd /usr/local/src/aolserver
+[root\@yourserver root]#cd /usr/local/src/aolserver
[root\@yourserver aolserver]#tar xzf /tmp/ns_pam-0.1.tar.gz
[root\@yourserver aolserver]#cd nspam
[root\@yourserver nspam]#make
@@ -52,19 +55,18 @@
-Set up a PAM domain. A PAM domain -is a set of rules for granting privileges based on other programs. -Each instance of AOLserver uses a domain; different aolserver -instances can use the same domain but one AOLserver instance cannot -use two domains. The domain describes which intermediate programs -will be used to check permissions. You may need to install software -to perform new types of authentication.
RADIUS in PAM.
Untar the pam_radius tarball and compile and install. (more -information)
-[root\@yourserver root]#cd /usr/local/src/
+information)[root\@yourserver root]#cd /usr/local/src/
[root\@yourserver src]#tar xf /tmp/pam_radius-1.3.16.tar
[root\@yourserver src]#cd pam_radius-1.3.16
[root\@yourserver pam_radius-1.3.16]#make
@@ -87,17 +89,12 @@ domain configuration lines into a single file,/etc/pam.conf
. On Red Hat, create the file/etc/pam.d/service0
with these -contents:-auth sufficient /lib/security/pam_radius_auth.so +contents:auth sufficient /lib/security/pam_radius_auth.so
Modify the AOLserver configuration file to use this PAM domain. -Edit the line
-ns_param PamDomain "service0"
-
So that the value of the parameter matches the name (just the -filename, not the fully pathed name) of the domain file in
-/etc/pam.d/ -+Edit the line
ns_param PamDomain "service0"
So that the value of the parameter matches the name (just the +filename, not the fully pathed name) of the domain file in
/etc/pam.d/
@@ -107,9 +104,7 @@
Modify the AOLserver configuration file to support ns_pam.
In /var/lib/aolserver/service0/etc/config.tcl
, enable
-the nspam module by uncommenting this line:
-ns_param nspam ${bindir}/nspam.so -+the nspam module by uncommenting this line:
ns_param nspam ${bindir}/nspam.so
@@ -118,9 +113,9 @@ restart the server.
Create an OpenACS -authority. OpenACS supports multiple -authentication authorities. The OpenACS server itself is the -"Local Authority," used by default.
Browse to the authentication administration page, http://yourserver/acs-admin/auth/
. Create and name an
authority (in the sitewide admin UI)
Set Authentication to PAM.
If the PAM domain defines a password
command, you can set Password