SUSE Manager/Authentication

From CoolSolutionsWiki

SUSE Manager Main Page

SUSE Manager - Authentication

PAM setup

As security measures become increasingly complex, SUSE Manager supports network-based authentication systems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that allows to integrate SUSE Manager with a centralized authentication mechanism, thus eliminating the need to remember multiple passwords.

SUSE Manager supports LDAP, Kerberos, and other network-based authentication systems via PAM. To enable SUSE Manager to use PAM in your organization's authentication infrastructure, follow the steps below.

Set up a PAM service file (usually /etc/pam.d/susemanager) and make SUSE Manager use it by adding the following line to /etc/rhn/rhn.conf:

 pam_auth_service = susemanager

This assumes the PAM service file is named susemanager.

To enable a user to authenticate against PAM, go to the Create User page and select the checkbox labeled Pluggable Authentication Modules (PAM) positioned below the password and password confirmation fields.

For a SUSE Linux Enterprise Server 11 SP1 system, to authenticate against Kerberos add the following lines to /etc/pam.d/susemanager:

 #%PAM-1.0
 auth     include        common-auth
 account  include        common-account
 password include        common-password
 session  include        common-session

Then YaST can be used to configure PAM, when packages such as yast2-ldap-client and yast2-kerberos-client are installed; for detailed information on configuring PAM, see the SUSE Linux Enterprise Server Security Guide. This example is not limited to Kerberos; it is generic and uses the current server configuration. Note that only network based authentication services are supported.

As an example for a Red Hat Enterprise Linux 5 i386 system, to authenticate against Kerberos add the following lines to /etc/pam.d/susemanager:

 #%PAM-1.0
 auth        required      pam_env.so
 auth        sufficient    pam_krb5.so no_user_check
 auth        required      pam_deny.so
 account     required      pam_krb5.so no_user_check


[Note] Changing Passwords

Changing the password on the SUSE Manager Web interface changes only the local password on the SUSE Manager server. But this password may not be used at all if PAM is enabled for that user. In the above example, for instance, the Kerberos password will not be changed.

AD - Active Directory

The (http://www.suse.de/~kkaempf/SUSE_Manager/SM_ADS_Integration_wiki.pdf SUSE Manager ADS Authentication) whitepaper explains the basic steps on how to delegate user authentication in SUSE Manager to a Microsoft Windows ADS domain.


A scenario to use pam_winbind for AD connection is available in the upstream project wiki: integrating-active-directory-authentication-with-spacewalk