Documentation survey

Authentication With PAM

SUSE Manager supports network-based authentication systems using pluggable authentication modules (PAM) using SSSD. PAM is a suite of libraries that allows you to integrate SUSE Manager with a centralized authentication mechanism, eliminating the need to remember multiple passwords. SUSE Manager supports LDAP, Kerberos, and other network-based authentication protocols.

1. SSSD Configuration

Procedure: Configuring SSSD

  1. In the SUSE Manager Web UI, navigate to Users  Create User and enable a new or existing user to authenticate with PAM.

    In usernames, additionally to alphanumeric characters, -, _, ., and @ are allowed.

  2. Check the Pluggable Authentication Modules (PAM) checkbox.

  3. Configure SSSD in the server container. At the command prompt of the SUSE Manager container host, as root, enter the server container:

    mgrctl term

  4. Inside the container, execute the following steps:

    1. Edit /etc/sssd/sssd.conf according to your configuration. For an example, see LDAP Integration with Active Directory Example.

    2. When done, exit the container:

      exit

  5. Restart SUSE Manager using:

    mgradm restart

Changing the password in the SUSE Manager Web UI changes only the local password on the SUSE Manager Server. If PAM is enabled for that user, the local password might not be used at all. In the above example, for instance, the Kerberos password is not changed. Use the password change mechanism of your network service to change the password for these users.

For more information about PAM configuration, see the SUSE Linux Enterprise Server Security Guide. The Security Guide contains a generic example that also works for other network-based authentication methods. It also describes how to configure an Active Directory (AD) service. For more information, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/part-auth.html.

1.1. LDAP Integration with Active Directory Example

For LDAP integration with Active Directory, you can use the following example.

In the code snippet, change the following placeholders according to your environment:

$domain

Your domain name

$ad_server

FQDN of the AD server if it is not auto-detected from the $domain $uyuni-hostname: The name of the machine this AD client is supposed to be known. If not set, it will be uyuni-server.mgr.internal.

Example snippet for /etc/sssd/sssd.conf:

[sssd]
config_file_version = 2
services = nss, pam
domains = $domain

[nss]

[pam]

[domain/$domain]
id_provider = ad
chpass_provider = ad
access_provider = ad
auth_provider = ad

ad_domain = $domain
ad_server = $ad_server
ad_hostname = $uyuni-hostname

ad_gpo_map_network = +susemanager

krb5_keytab = FILE:/etc/rhn/krb5.conf.d/krb5.keytab
krb5_ccname_template = FILE:/tmp/krb5cc_%{uid}