https://www.labrats.us//wiki/index.php?action=history&feed=atom&title=User%3ASfiggins%2FRH-DS-PAM-PTA
User:Sfiggins/RH-DS-PAM-PTA - Revision history
2026-04-04T14:19:18Z
Revision history for this page on the wiki
MediaWiki 1.35.14
https://www.labrats.us//wiki/index.php?title=User:Sfiggins/RH-DS-PAM-PTA&diff=54&oldid=prev
Sfiggins: Created page with "=PAM Pass-through= ==Setup initial control files== <pre> # cat > /tmp/ldap-pam-on.ldif << 'EOF' dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace:..."
2018-12-13T15:28:06Z
<p>Created page with "=PAM Pass-through= ==Setup initial control files== <pre> # cat > /tmp/ldap-pam-on.ldif << 'EOF' dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: modify replace:..."</p>
<p><b>New page</b></p><div>=PAM Pass-through=<br />
<br />
==Setup initial control files==<br />
<br />
<pre><br />
# cat > /tmp/ldap-pam-on.ldif << 'EOF'<br />
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config<br />
changetype: modify<br />
replace: nsslapd-pluginEnabled<br />
nsslapd-pluginEnabled: on<br />
-<br />
replace: pamSecure<br />
pamSecure: FALSE<br />
-<br />
replace: pamFallback<br />
pamFallback: TRUE<br />
EOF<br />
<br />
# cat > /tmp/ldap-pam-off.ldif << 'EOF'<br />
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config<br />
changetype: modify<br />
replace: nsslapd-pluginEnabled<br />
nsslapd-pluginEnabled: off<br />
EOF<br />
<br />
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif.orig<br />
<br />
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=PAM Pass Through Auth,cn=plugins,cn=config" -h localhost > /tmp/ldap-pam.ldif.orig<br />
</pre><br />
<br />
==/etc/pam.d/ldapserver Configuration for PAM-PTA==<br />
<br />
The '''/etc/pam.d/ldapserver''' file needs to look like this:<br />
<br />
<pre><br />
auth include password-auth<br />
<br />
account required pam_access.so accessfile=/etc/security/access.cron.conf<br />
<br />
password include system-auth<br />
<br />
session include system-auth<br />
</pre><br />
<br />
==Activate PAM-PTA==<br />
<br />
Apply the configuration with the following commands:<br />
<br />
<pre><br />
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif<br />
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ldap-pam-on.ldif<br />
</pre><br />
<br />
It is required to restart the Directory Server to apply the configuration.<br />
<br />
<pre><br />
# /etc/init.d/dirsrv restart<br />
</pre><br />
<br />
Get a dump of the current configuration settings:<br />
<br />
<pre><br />
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=plugins,cn=config" -h localhost > /tmp/config.ldif<br />
<br />
# ldapsearch -cx -D "cn=Directory Manager" -W -b "cn=PAM Pass Through Auth,cn=plugins,cn=config" -h localhost > /tmp/ldap-pam.ldif<br />
</pre><br />
<br />
==Testing==<br />
<br />
Test binding with a simple LDAP search.<br />
<br />
<pre><br />
ldapsearch -cx -D "uid=tuser2,ou=user,dc=twtelecom,dc=net" -W -b "uid=tuser2,ou=user,dc=twtelecom,dc=net" -h localhost<br />
</pre><br />
<br />
Or using this script:<br />
<br />
<pre><br />
#!/usr/bin/perl<br />
<br />
use Net::LDAPS;<br />
<br />
$ldap_server="localhost";<br />
$user = "tuser2";<br />
$password = "JbUWP3TbwdHwNou";<br />
<br />
$ldap_user = "uid=$user,ou=user,dc=twtelecom,dc=net";<br />
$ldap = Net::LDAPS->new($ldap_server) || die "Unable to connect to $ldap_server: $!\n";<br />
$mesg = $ldap->bind($ldap_user, password => $password);<br />
if ($mesg->code) {<br />
print "Denied: ",$mesg->error,"\n";<br />
} else {<br />
print "Granted\n";<br />
}<br />
$mesg = $ldap->unbind;<br />
</pre><br />
<br />
This script needs to have '''perl-IO-Socket-SSL''' from yum and '''Net::LDAPS''' from CPAN.<br />
<br />
<pre><br />
# ./ldap-test.pl <br />
Granted<br />
</pre><br />
<br />
=PAM_RADIUS Module=<br />
<br />
ftp://ftp.is.co.za/mirror/fedora.redhat.com/epel/6/x86_64/pam_radius-1.3.17-2.el6.x86_64.rpm<br />
<br />
==Install PAM_RADIUS (via yum)==<br />
<br />
This is in the EPEL channel.<br />
<br />
<pre><br />
# yum install pam_radius<br />
Loaded plugins: product-id, rhnplugin, security, subscription-manager<br />
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.<br />
Setting up Install Process<br />
Resolving Dependencies<br />
--> Running transaction check<br />
---> Package pam_radius.x86_64 0:1.3.17-2.el6 will be installed<br />
--> Finished Dependency Resolution<br />
<br />
Dependencies Resolved<br />
<br />
==============================================================================================================================================<br />
Package Arch Version Repository Size<br />
==============================================================================================================================================<br />
Installing:<br />
pam_radius x86_64 1.3.17-2.el6 twtc_epel_rhel6_x86_64 26 k<br />
<br />
Transaction Summary<br />
==============================================================================================================================================<br />
Install 1 Package(s)<br />
<br />
Total download size: 26 k<br />
Installed size: 0 <br />
Is this ok [y/N]: y<br />
Downloading Packages:<br />
pam_radius-1.3.17-2.el6.x86_64.rpm | 26 kB 00:00 <br />
Running rpm_check_debug<br />
Running Transaction Test<br />
Transaction Test Succeeded<br />
Running Transaction<br />
Installing : pam_radius-1.3.17-2.el6.x86_64 1/1 <br />
<br />
Installed:<br />
pam_radius.x86_64 0:1.3.17-2.el6 <br />
<br />
Complete!<br />
</pre><br />
<br />
==/etc/pam_radius.conf==<br />
<br />
The '''/etc/pam_radius.conf''' file needs to look like this:<br />
<br />
<pre><br />
# pam_radius_auth configuration file. Copy to: /etc/pam_radius.conf<br />
#<br />
# For proper security, this file SHOULD have permissions 0600,<br />
# that is readable by root, and NO ONE else. If anyone other than<br />
# root can read this file, then they can spoof responses from the server!<br />
#<br />
# There are 3 fields per line in this file. There may be multiple<br />
# lines. Blank lines or lines beginning with '#' are treated as<br />
# comments, and are ignored. The fields are:<br />
#<br />
# server[:port] secret [timeout]<br />
#<br />
# the port name or number is optional. The default port name is<br />
# "radius", and is looked up from /etc/services The timeout field is<br />
# optional. The default timeout is 3 seconds.<br />
#<br />
# If multiple RADIUS server lines exist, they are tried in order. The<br />
# first server to return success or failure causes the module to return<br />
# success or failure. Only if a server fails to response is it skipped,<br />
# and the next server in turn is used.<br />
#<br />
# The timeout field controls how many seconds the module waits before<br />
# deciding that the server has failed to respond.<br />
#<br />
# server[:port] shared_secret timeout (s)<br />
<br />
66.162.108.21:1812 <secret_key> 3<br />
50.58.29.21:1812 <secret_key> 3<br />
<br />
<br />
#<br />
# having localhost in your radius configuration is a Good Thing.<br />
#<br />
# See the INSTALL file for pam.conf hints.<br />
</pre><br />
<br />
==/etc/pam.d/ldapserver Configuration for PAM_RADIUS==<br />
<br />
The '''/etc/pam.d/ldapserver''' configuration needs to look like this:<br />
<br />
<pre><br />
auth required pam_env.so<br />
auth sufficient pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug<br />
auth required pam_deny.so<br />
<br />
account required pam_access.so accessfile=/etc/security/access.cron.conf<br />
<br />
password include system-auth<br />
<br />
session include system-auth<br />
</pre><br />
<br />
==Testing==<br />
<br />
Testing is the same as above.</div>
Sfiggins