Index: openacs-4/packages/acs-core-docs/www/install-pam-radius.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-pam-radius.html,v diff -u -r1.1.2.2 -r1.1.2.3 --- openacs-4/packages/acs-core-docs/www/install-pam-radius.html 22 Oct 2004 02:38:14 -0000 1.1.2.2 +++ openacs-4/packages/acs-core-docs/www/install-pam-radius.html 1 Nov 2004 23:39:49 -0000 1.1.2.3 @@ -1,30 +1,35 @@ -Install LDAP for use as external authentication

Install LDAP for use as external authentication

By Malte Sussdorff

+Install PAM Radius for use as external authentication

Install PAM Radius for use as external authentication

By Malte Sussdorff

OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff. -

This step by step guide on how to use LDAP for external authentication using the LDAP bind command, which differs from the approach usually taken by auth-ldap. Both will be dealt with in these section

  1. Install openldap.�Download and install ns_ldap

    [root aolserver]# cd /usr/local/src/
    -          [root src]# wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz
    -          [root src]# tar xvfz openldap-2.2.17.tgz
    -          [root src]# cd openldap-2.2.17
    -          [root src]# ./configure --prefix=/usr/local/openldap
    -          [root openldap]# make install
    -          [root openldap]#
    -cd /usr/local/src/
    -wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.2.17.tgz
    -tar xvfz openldap-2.2.17.tgz
    -cd openldap-2.2.17
    -./configure --prefix=/usr/local/openldap --disable-slapd
    -make install
    -
    -          
  2. Install ns_ldap.�Download and install ns_ldap

    [root aolserver]# cd /usr/local/src/aolserver/
    -          [root aolserver]# wget http://www.sussdorff.de/ressources/nsldap.tgz
    -          [root aolserver]# tar xfz nsldap.tgz
    -          [root aolserver]# cd nsldap
    -          [root ns_pam-0.1]# make install LDAP=/usr/local/openldap INST=/usr/local/aolserver
    +        

This step by step guide is derived from the installation instructions which you can find at yourdomain.com/doc/acs-authentication/ext-auth-pam-install.html. It is build upon PAM 0.77 (tested) and does not work on RedHat Linux Enterprise 3 (using PAM 0.75). It makes use of the ns_pam module written by Mat Kovach. The instructions given in here do work with PAM LDAP accordingly and differences will be shown at the end of the file.

  1. Install ns_pam.�Download and install ns_pam

    [root aolserver]# cd /usr/local/src/aolserver/
    +          [root aolserver]# wget http://braindamage.alal.com/software/ns_pam-0.1.tar.gz
    +          [root aolserver]# tar xvfz ns_pam-0.1.tar.gz
    +          [root aolserver]# cd ns_pam-0.1
    +          [root ns_pam-0.1]# make install INST=/usr/local/aolserver
               [root ns_pam-0.1]#
     cd /usr/local/src/aolserver/
    -wget http://www.sussdorff.de/resources/nsldap.tgz
    -tar xfz nsldap.tgz
    -cd nsldap
    -make install LDAP=/usr/local/openldap INST=/usr/local/aolserver
    +wget http://braindamage.alal.com/software/ns_pam-0.1.tar.gz
    +tar xvfz ns_pam-0.1.tar.gz
    +cd ns_pam-0.1
    +make install INST=/usr/local/aolserver
     
    -          
  2. Configure ns_ldap for traditional use.�

    Traditionally OpenACS has supported ns_ldap for authentification by storing the OpenACS password in an encrypted field within the LDAP server called "userPassword". Furthermore a CN field was used for searching for the username, usually userID or something similar. This field is identical to the usernamestored in OpenACS. Therefore the login will only work if you change login method to make use of the username instead.

    • Change config.tcl. Remove the # in front of ns_param nsldap ${bindir}/nsldap.so to enable the loading of the ns_ldap module.
  3. Configure ns_ldap for use with LDAP bind.�

    LDAP authentication usually is done by trying to bind (aka. login) a user with the LDAP server. The password of the user is not stored in any field of the LDAP server, but kept internally. The latest version of ns_ldap supports this method with the <emphasize>ns_ldap bind</emphasize> command. All you have to do to enable this is to configure auth_ldap to make use of the BIND authentification instead. Alternatively you can write a small script on how to calculate the username out of the given input (e.g. if the OpenACS username is malte.fb03.tu, the LDAP request can be translated into "ou=malte,ou=fb03,o=tu" (this example is encoded in auth_ldap and you just have to comment it out to make use of it).

View comments on this page at openacs.org
+
  • Configure ns_pam.�Configure AOLserver for ns_pam

    To enable ns_pam in AOLServer you will first have to edit your config.tcl file and enable the loading of the ns_pam module and configure the aolservers pam configuration file.

    • Change config.tcl. Remove the # in front of ns_param nspam ${bindir}/nspam.so to enable the loading of the ns_pam module.
    • Change config.tcl. Replace pam_domain in the section ns/server/${server}/module/nspam with aolserver
    • Create /etc/pam.d/aolserver. +
      +              [root ns_pam]#cp /var/lib/aolserver/service0/packages/acs-core-docs/www/files/pam-aolserver.txt /etc/pam.d/aolserver
      +            
  • Configure PAM Radius.�Configure and install PAM Radius

    You have to make sure that pam_radius v.1.3.16 or higher is installed, otherwise you will have to install it.

    [root ns_pam]# cd /usr/local/src/
    +          [root src]# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.16.tar
    +          [root src]# tar xvf pam_radius-1.3.16
    +          [root src]# cd pam_radius
    +          [root pam_radius]# make
    +          [root pam_radius]# cp pam_radius_auth.so /lib/security/
    +          [root pam_radius]#
    +cd /usr/local/src
    +wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.16.tar
    +tar xvf pam_radius-1.3.16
    +cd pam_radius
    +make
    +cp pam_radius_auth.so /lib/security/
    +
    +          

    Next you have to add the configuration lines to your Radius configuration file (/etc/rddb/server). For AOLserver to be able to access this information you have to change the access rights to this file as well.

    [root pam_radius]# echo "radius.yourdomain.com:1645 your_radius_password >>/etc/rddb/server
    +          [root src]# chown service0:web /etc/rddb/server
    +          
  • View comments on this page at openacs.org