Deployment and configuration
We can install the PAM Password Synchronizer using the Security Directory Integrator installer wizard. After the installation is complete, use the instructions in the following sections for the deployment steps that are required for the PAM Password Synchronizer.
Password Synchronizer registration for UNIX and Linux plug-in within PAM
Configure the PAM Password Synchronizer using the template configuration file...
TDI_install_dir/pwd_plugins/pam/pwsync.props
To register the plug-in, edit the PAM configuration file. The following table shows the standard location of PAM configuration files on various platforms. Your individual PAM configuration causes the PAM password module configuration to be a different file. Check with your system administrator if either these files do not exist, or if the added Password Synchronization module is not started.
Note: The /etc/pam.conf configuration file is used in the older versions of PAM on UNIX. This file is now deprecated and all PAM configuration files are now in /etc/pam.d for the modules that rely on PAM. You must store the PAM configuration file for the password change module in this directory.
The primary component of external system configuration is the PAM configuration file. Since the purpose of the plug-in is to intercept password events, add a registration line as shown in the following table to the PAM configuration file. If the PAM module is being stacked with other PAM modules, the Security module is the last module in the stack. This way, The module can be sure that previous required modules returns a success status before PAM calls the Security module.
OS PAM Configuration File PAM plug-in registration line AIX 6.1 or greater /etc/pam.conf passwd password is required.
TDI_Plugin_Root/pwd_plugins/pam/libpamtivoli.so
use_first_pass
TDI_Plugin_Root/pwd_plugins/pam/pwsync.propsSolaris 10 /etc/pam.conf or /etc/pam.d/system-auth Other password is required.
TDI_Plugin_Root/pwd_plugins/pam/libpamtivoli.so
use_first_pass
TDI_Plugin_Root/pwd_plugins/pam/pwsync.propsLinux /etc/pam.confor
/etc/pam.d/system-auth (RHEL 5)
/etc/pam.confor /etc/pam.d/password (SLES 9)
/etc/pam.conf or /etc/pam.d/common-password (SLES 10)Password is required
TDI_Plugin_Root/pwd_plugins/pam/libpamtivoli.so
use_first_pass
TDI_Plugin_Root/pwd_plugins/pam/pwsync.propsNote: If the system is 64 bit and the applications that rely on PAM such as passwd are also 64 bit, use libpamtivoli_64 instead of libpamtivoli. Note: The preceding table lists system-auth as the PAM configuration file in the /etc/pam.d directory. The /etc/pam.d/passwd file is the main configuration file to set password and change password. On most operating systems, the standard PAM installations set up the/etc/pam.d/passwd file to use the /etc/pam.d/system-auth file. This set up defines the actual PAM modules to set the password and change the password. On RHEL 4, the delegation in the /etc/pam.d/passwd file can be as shown in the following example:
password required pam_stack.so service=system-auth
If your PAM /etc/pam.d/passwd configuration file is delegated to system-auth, you must add the configuration entry into the /etc/pam.d/system-auth file.
The exceptions to the placement of the Security module last in the stack are:
- If there are modules above the Security module, and are marked as sufficient, you must change the module to required. This change ensures that the Security module is called. For example, on RHEL 4 Linux, the pam_unix module is marked as sufficient in the standard installation. If the result of the pam_unix module is successful, no proceeding password modules is started. To ensure that the Security module is called, you must change the pam_unix to required and it must come before the Security module in the stack.
- If you have modules only for error processing, such as pam_deny, modules must follow the Security module, and the Security module must be marked as sufficient.
The PAM pluggable architecture allows the modules to be stacked. We can create the custom solution that allows several PAM Password Synchronizers to be installed on the same system. Each PAM plug-in requires a separate Java Proxy process. Each Java Proxy must listen on a separate port. Use the different pwsync.props configuration files. The files must be in a different folder because authentication is taking place in that folder.
Configuration of PAM Password Synchronizer
The PAM plug-in has a template configuration file that is installed at TDI_install_dir/pwd_plugins/pam/pwsync.props. When the PAM plug-in is initialized, the configuration file is set as the last parameter of the registration line of the plug-in. Some parameters of the configuration file are shared between the plug-in and the Java Proxy. The plug-in recognizes some of the properties that are described in theCommon configuration and utilities of password synchronization plug-ins topic.
The syncBase and logFile properties are irrelevant to the plug-in, and are ignored. The reason for ignoring thesyncBase property is that the PAM cannot always provide a dn-like naming of arrived users. The reason for ignoring the logFile property is that the PAM plug-in logs by using the native UNIX syslog daemon.
Select the Password Store of your choice by setting the correct class name in the syncClass parameter.
Parent topic:
Password Synchronizer for UNIX and Linux