Authentication With PAM
SUSE Manager supports network-based authentication systems using pluggable authentication modules (PAM). PAM is a suite of libraries that allows you to integrate SUSE Manager with a centralized authentication mechanism, eliminating the need to remember multiple passwords. SUSE Manager supports LDAP, Kerberos, and other network-based authentication systems using PAM.
In usernames, additionally to alphanumeric characters, |
-
Create a PAM service file at
/etc/pam.d/susemanager
. Filename must be in lower case and readable bytomcat
user. This file is used by SUSE Manager to load the correct PAM configuration files:#%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
Listing 1. On the SUSE Manager Server, at the command prompt, as root, add thesss
PAM module:pam-config -a --sss
This command adds the module to the
/etc/pam.d/common-auth
configuration file. We do not recommend editing this file directly. -
Enforce the use of the service file by adding this line to
/etc/rhn/rhn.conf
:pam_auth_service = susemanager
In this example, the PAM service file is called
susemanager
. -
Restart the SUSE Manager services after a configuration change.
-
In the SUSE Manager Web UI, navigate to
and enable a new or existing user to authenticate with PAM. -
Check the
Pluggable Authentication Modules (PAM)
checkbox. It is below the password and password confirmation fields.
Changing the password in the SUSE Manager Web UI changes only the local password on the SUSE Manager Server. If PAM is enabled for that user, the local password might not be used at all. In the above example, for instance, the Kerberos password is not changed. Use the password change mechanism of your network service to change the password for these users. |
To configure system-wide authentication you can use YaST.
You need to install the yast2-auth-client
package.
For more information about configuring PAM, the SUSE Linux Enterprise Server Security Guide contains a generic example that also works for other network-based authentication methods. It also describes how to configure an active directory service. For more information, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/part-auth.html.