User:Sfiggins/RH-DS-PAM-PTA
From Labrats.us
Jump to navigationJump to searchPAM Pass-through
Setup initial control files
# cat > /tmp/ldap-pam-on.ldif << 'EOF' dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - replace: pamSecure pamSecure: FALSE - replace: pamFallback pamFallback: TRUE EOF # cat > /tmp/ldap-pam-off.ldif << 'EOF' dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off EOF # ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif.orig # ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=PAM Pass Through Auth,cn=plugins,cn=config" -h localhost > /tmp/ldap-pam.ldif.orig
/etc/pam.d/ldapserver Configuration for PAM-PTA
The /etc/pam.d/ldapserver file needs to look like this:
auth include password-auth account required pam_access.so accessfile=/etc/security/access.cron.conf password include system-auth session include system-auth
Activate PAM-PTA
Apply the configuration with the following commands:
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif # ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ldap-pam-on.ldif
It is required to restart the Directory Server to apply the configuration.
# /etc/init.d/dirsrv restart
Get a dump of the current configuration settings:
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif # ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=PAM Pass Through Auth,cn=plugins,cn=config" -h localhost > /tmp/ldap-pam.ldif
Testing
Test binding with a simple LDAP search.
ldapsearch -cx -D "uid=tuser2,ou=user,dc=twtelecom,dc=net" -W -b "uid=tuser2,ou=user,dc=twtelecom,dc=net" -h localhost
Or using this script:
#!/usr/bin/perl use Net::LDAPS; $ldap_server="localhost"; $user = "tuser2"; $password = "JbUWP3TbwdHwNou"; $ldap_user = "uid=$user,ou=user,dc=twtelecom,dc=net"; $ldap = Net::LDAPS->new($ldap_server) || die "Unable to connect to $ldap_server: $!\n"; $mesg = $ldap->bind($ldap_user, password => $password); if ($mesg->code) { print "Denied: ",$mesg->error,"\n"; } else { print "Granted\n"; } $mesg = $ldap->unbind;
This script needs to have perl-IO-Socket-SSL from yum and Net::LDAPS from CPAN.
# ./ldap-test.pl Granted
PAM_RADIUS Module
ftp://ftp.is.co.za/mirror/fedora.redhat.com/epel/6/x86_64/pam_radius-1.3.17-2.el6.x86_64.rpm
Install PAM_RADIUS (via yum)
This is in the EPEL channel.
# yum install pam_radius Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package pam_radius.x86_64 0:1.3.17-2.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================== Installing: pam_radius x86_64 1.3.17-2.el6 twtc_epel_rhel6_x86_64 26 k Transaction Summary ============================================================================================================================================== Install 1 Package(s) Total download size: 26 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: pam_radius-1.3.17-2.el6.x86_64.rpm | 26 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : pam_radius-1.3.17-2.el6.x86_64 1/1 Installed: pam_radius.x86_64 0:1.3.17-2.el6 Complete!
/etc/pam_radius.conf
The /etc/pam_radius.conf file needs to look like this:
# pam_radius_auth configuration file. Copy to: /etc/pam_radius.conf # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # "radius", and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) 66.162.108.21:1812 <secret_key> 3 50.58.29.21:1812 <secret_key> 3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints.
/etc/pam.d/ldapserver Configuration for PAM_RADIUS
The /etc/pam.d/ldapserver configuration needs to look like this:
auth required pam_env.so auth sufficient pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug auth required pam_deny.so account required pam_access.so accessfile=/etc/security/access.cron.conf password include system-auth session include system-auth
Testing
Testing is the same as above.