8.6. Implementing PAM Authentication

Red Hat Satellite supports network-based authentication systems such as LDAP and Kerberos, using Pluggable Authentication Modules (PAM). PAM is a suite of libraries that helps system administrators integrate the Satellite with a centralized authentication mechanism, thus eliminating the need for remembering multiple passwords.

Note

To ensure that PAM authentication functions properly, install the pam-devel package.
# yum install pam-devel
Also make sure to update to the latest selinux-policy-targeted package.
# yum update selinux-policy-targeted

Procedure 8.1. Configuring Red Hat Satellite to use PAM

  1. Set the allow_httpd_mod_auth_pam SELinux boolean to on:
    # setsebool -P allow_httpd_mod_auth_pam 1
  2. Open the /etc/rhn/rhn.conf file in your preferred text editor, and add the following line:
    pam_auth_service = rhn-satellite
    Create a PAM service file in the /etc/pam.d/ directory:
    # touch /etc/pam.d/rhn-satellite
  3. Edit the file and add one of the following, depending on your authentication method:

    Example 8.1. SSSD Authentication

    #%PAM-1.0
    auth        required      pam_env.so
    auth        sufficient    pam_sss.so
    auth        required      pam_deny.so
    account     sufficient    pam_sss.so
    account     required      pam_deny.so
    

    Example 8.2. Kerberos Authentication

    #%PAM-1.0
    auth        required      pam_env.so
    auth        sufficient    pam_krb5.so no_user_check
    auth        required      pam_deny.so
    account     required      pam_krb5.so no_user_check
    

    Example 8.3. LDAP Authentication

    #%PAM-1.0
    auth          required      pam_env.so
    auth          sufficient    pam_ldap.so no_user_check
    auth          required      pam_deny.so
    account       required      pam_ldap.so no_user_check
    
    For more detail about configuring PAM, see the Pluggable Authentication Modules (PAM) in the Red Hat Enterprise Linux Deployment Guide.

    Note

    For Kerberos-authenticating users, change the password by using kpasswd. Do not change the password on Red Hat Satellite web application as this method only changes the local password on the Satellite server. Local passwords are not in use if PAM is enabled for that user.
  4. Restart the service to pick up the changes:
    # rhn-satellite restart
    
  5. To enable a user to authenticate against PAM, select the checkbox labeled Pluggable Authentication Modules (PAM). It is positioned below the password and password confirmation fields on the Create User page.