Pass-through authentication is when any authentication request is forwarded from one server to another service.
Many systems already have authentication mechanisms in place for Unix and Linux users. One of the most common authentication frameworks is Pluggable Authentication Modules (PAM). Since many networks already existing authentication services available, administrators may want to continue using those services. A PAM module can be configured to tell Directory Server to use an existing authentication store for LDAP clients.
PAM pass-through authentication in Red Hat Directory Server uses the PAM Pass-through Authentication Plug-in, which enables the Directory Server to talk to the PAM service to authenticate LDAP clients.
PAM pass-through authentication works together with account inactivation when authenticating users, assuming that the appropriate mapping method (ENTRY) is used. However, PAM pass-through authentication does not validate passwords against password policies set either globally or locally, because the passwords are set and stored in the PAM module, not in the Directory Server.
There are three different areas that can be configured for PAM pass-through:
- The suffixes that are controlled by the PAM pass-through authentication plug-in. This covers suffixes to exclude, suffixes to include, and how to handle a missing suffix.
- The PAM attribute mapping. The credentials that are offered to the Directory Server have to be mapped in some way to an LDAP entry and then, back to the credentials in the PAM service. This is done by defining a mapping method and then, optionally, which LDAP attribute to use to match the credentials.
- General configuration such as using SSL connections, the PAM service to use, and whether to fallback to LDAP authentication if PAM authentication fails.
Table 13.5. PAM Pass-through Auth Plug-in Attributes
| Attribute | Definition |
|---|---|
| pamExcludeSuffix | Identifies suffixes to exclude from PAM authentication. |
| pamIncludeSuffix | Identifies suffixes to include for PAM authentication. |
| pamMissingSuffix | Identifies how to handle missing include or exclude suffixes. The options are ERROR (which causes the bind operation to fail); ALLOW, which logs an error but allows the operation to proceed; and IGNORE, which allows the operation and doesn't log any errors. |
| pamIDAttr | Sets the name of the attribute holding the PAM ID. |
| pamIDMapMethod |
Gives the method to use to map the LDAP bind DN to a PAM identity.
NOTE
Directory Server user account inactivation is only validated using the ENTRY mapping method. With RDN or DN, a Directory Server user whose account is inactivated can still bind to the server successfully.
|
| pamFallback | Sets whether to fallback to regular LDAP authentication if PAM authentication fails. |
| pamSecure | Requires secure (TLS/SSL) connection for PAM authentication. |
| pamService |
Contains the service name to pass to PAM. This assumes that the service specified has a configuration file in /etc/pam.d.
|
The PAM PTA plug-in is applied globally, to all subtrees, by default unless they are explicitly excluded. Excluding and including subtrees can help target what areas in the directory use PAM authentication instead of LDAP authentication.
The
pamExcludeSuffix attribute excludes a suffix. By default, only the configuration subtree (cn=config) is excluded. Alternatively, the PAM PTA plug-in can be applied to a subtree with the pamIncludeSuffix attribute. Both of these attributes are multi-valued.
If the include attribute is set, for example, all other subtrees are automatically excluded. Likewise, if an exclude attribute is set, all other suffixes are automatically included.
pamExcludeSuffix: cn=config pamExcludeSuffix: o=NetscapeRoot
With
pamIncludeSuffix, only the given subtree is included and all others are automatically excluded. Since this attribute is multi-valued, more than one suffix can be included in the PAM evaluation by explicitly listing the suffixes.
pamIncludeSuffix: ou=Engineering,dc=example,dc=com pamIncludeSuffix: ou=QE,dc=example,dc=com
The
pamMissingSuffix attribute tells the server how to handle a failure if the specified suffix (include or exclude) doesn't exist. If it's set to IGNORE, then if the suffix doesn't exist, the plug-in simply skips that suffix and tries the next.
pamMissingSuffix: IGNORE pamIncludeSuffix: ou=Engineering,dc=example,dc=com pamIncludeSuffix: ou=Not Real,dc=example,dc=com
There has to be a way to connect the LDAP identity to the PAM identity. The first thing to define is the method to use to map the entries. There are three options: DN, RDN, and ENTRY. ENTRY uses a user-defined attribute in the entry.
Multiple mapping methods can be supplied in an ordered, space-separated list. The plug-in attempts to use each mapping method in the order listed until authentication succeeds or until it reaches the end of the list.
For example, this mapping method first maps the RDN method, then ENTRY, then DN, in the order the methods are listed:
pamIDMapMethod: RDN ENTRY DN
The different mapping methods are listed in Table 13.6, “Mapping Methods for PAM Authentication”.
NOTE
Directory Server user account inactivation is only validated using the ENTRY mapping method. With RDN or DN, a Directory Server user whose account is inactivated can still bind to the server successfully.
Table 13.6. Mapping Methods for PAM Authentication
| Mapping | Description |
|---|---|
| RDN | This method uses the value from the leftmost RDN in the bind DN. The mapping for this method is defined by Directory Server. This is the default mapping method, if none is given. |
| ENTRY |
This method pulls the value of the PAM identity from a user-defined attribute in the bind DN entry. The identity attribute is defined in the pamIDAttr attribute.
pamIDAttr: customPamUid |
| DN | This method uses the full distinguished name from the bind DN. The mapping for this method is defined by Directory Server. |
Three general configuration settings can be set for PAM authentication:
- The service name to send to PAM (
pamService); this is the name of the configuration file to use in/etc/pam.d - Whether to require a secure connection (
pamSecure) - Whether to fall back to LDAP authentication if PAM authentication fails (
pamFallback)
pamFallback: false pamSecure: false pamService: ldapserver
PAM pass-through authentication is configured through the command line.
- Make sure the PAM service is fully configured.
- Enable the plug-in; this is disabled by default.
/usr/lib64/mozldap/ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com dn: cn=PAM Pass-through Auth Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Add or edit the attributes available for the PAM plug-in. The available attributes are listed in Table 13.5, “PAM Pass-through Auth Plug-in Attributes” and Example 13.1, “Example PAM Pass-through Authentication Configuration” has an example entry.
- Restart the server to load the plug-in.
service dirsrv restart
Example 13.1. Example PAM Pass-through Authentication Configuration
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: libpam-passthru-plugin nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperationnsslapd-pluginEnabled: onnsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOWpamExcludeSuffix: cn=configpamExcludeSuffix: o=NetscapeRootpamIDMapMethod: RDN ou=people,dc=example,dc=compamIDMapMethod: ENTRY ou=engineering,dc=example,dc=compamIDAttr: customPamUidpamFallback: FALSEpamSecure: TRUEpamService: ldapserver