Best Practices
- 1 Introduction
- 2 Managing Your Subscriptions
- 3 Expanded Support
- 4 Salt Formulas and SUSE Manager
- 5 Configuration Management with Salt
- 6 Salt Minion Scalability
- 7 Activation Key Management
- 8 Contact Methods
- 9 Advanced Patch Lifecycle Management
- 10 Live Patching with SUSE Manager
- 11 SUSE Manager Server Migration
- 12 Client Migration
- 13 PostgreSQL Database Migration
- 14 Backup and Restore
- 15 Authentication Methods
- 16 Using a Custom SSL Certificate
- 17 Troubleshooting
- 18 Additional Resources
- 19 A SUSE Manager 2.1 and 3.2 Product Comparison
- A GNU Licenses
- 20 GNU Free Documentation License
15 Authentication Methods
15.1 Authentication Via PAM #
As security measures become increasingly complex, SUSE Manager supports network-based authentication systems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that allows to integrate SUSE Manager with a centralized authentication mechanism, thus eliminating the need to remember multiple passwords. SUSE Manager supports LDAP, Kerberos, and other network-based authentication systems via PAM. To enable SUSE Manager to use PAM in your organization’s authentication infrastructure, follow the steps below.
Set up a PAM service file (default location:
/etc/pam.d/susemanager) then enforce its use by adding the following line to/etc/rhn/rhn.conf:pam_auth_service = susemanager
Note
This assumes the PAM service file is named susemanager.
To enable a new or existing user to authenticate with PAM, proceed to the page and select the checkbox labeled Pluggable Authentication Modules (PAM) positioned below the password and password confirmation fields.
To authenticate a SLES system against Kerberos add the following lines to
/etc/pam.d/susemanager:#%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
Note
To register a Red Hat Enterprise Linux System against Kerberos add the following lines to
/etc/pam.d/susemanager
#%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so no_user_check auth required pam_deny.so account required pam_krb5.so no_user_check
+
YaST can now be used to configure PAM, when packages such as yast2-ldap-client and yast2-kerberos-client are installed; for detailed information on configuring PAM, see the SUSE Linux Enterprise Server Security Guide https://www.suse.com/documentation/sles-12/book_security/data/part_auth.html. This example is not limited to Kerberos; it is generic and uses the current server configuration. Note that only network based authentication services are supported.
Important: Changing Passwords
Changing the password on the SUSE Manager Web interface changes only the local password on the SUSE Manager server. But this password may not be used at all if PAM is enabled for that user. In the above example, for instance, the Kerberos password will not be changed.
15.2 Authentication Via eDirectory and PAM #
First check to ensure eDirectory authentication is working with your current OS for example:
#getent passwd
If users are returned from eDirectory then create the following file:
# cat /etc/pam.d/susemanager
And add the following content:
#%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session #
Finally add the following lines to the SUSE Manager conf file:
# grep -i pam /etc/rhn/rhn.conf pam_auth_service = susemanager
You may now create users with the same id that appears on eDirectory and mark the Use PAM check-box from the SUSE Manager WebUI.
15.3 Example Quest VAS Active Directory Authentication Template #
If you are using Quest VAS for active directory authentication, you can use the following /etc/pam.d/susemanager
file.
#%PAM-1.0 auth required pam_env.so auth sufficient pam_vas3.so no_user_check auth requisite pam_vas3.so echo_return auth required pam_deny.so account required pam_vas3.so no_user_check