External Authentication with PAM

For an overview of External Authentication, see the Knowledge Base article External Authentication Basics.

This article demonstrates how to configure ConsoleWorks to authenticate against the user names and passwords of the Linux system where ConsoleWorks is running. See the article External Authentication with PAM and Active Directory to use AD users and passwords for authentication.

Note that setting up PAM on Red Hat Enterprise 7 and above is different than on Solaris.
Instead of /etc/pam.conf, RHEL uses multiple configuration files located in "/etc/pam.d/".

Step 1

As a privileged user, create a file called "conwrks" in /etc/pam.d/. Within this file, add the following entries and save the file:
#PAM1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
This allows ConsoleWorks to communicate with the installed PAM module to authenticate user names and passwords for ConsoleWorks users against system user accounts.

Step 2

Create a template user for PAM External Authentication, for example, PAM_TEMPLATE. Make sure the option for Use External Authentication is checked on the Template User account.

Note: All PAM authenticated users with access to ConsoleWorks will start with the selected template usage rights. The CONSOLE_MANAGER account does not use External Authentication.

Step 3

click here for larger image

Navigate to SECURITY > External Authentication to add External Authentication service pointed at the target PAM server.

Note: External Authentication, assumed for pre-existing user accounts, requires all ConsoleWorks user accounts to be authenticated via ConsoleWorks External Authentication (even if not selected in the specific user page).

Step 4

click here for larger image

On the External Authentication Record page, enter in data using the following parameters:
Record Name: PAM [example]
Enabled: [X]
Library: PAM
Parameter 1: conwrks
Parameter 6: (optional) Log level
(*NOTE*) 15 is full verbose, written to the .out file
Select template user

Note:

Click Next

Step 5

click here for larger image

ConsoleWorks will test connectivity and credentials to the PAM server. Enter a valid PAM user id and password. Click Next.

Step 6

click here for larger image

The verification passed screen displays if the parameters are accepted. If not, check for typos and the .out file logging information. For information concerning using the .out file, see the Knowledge Base article ConsoleWorks Standard Output files for errors.
Click Next.

Step 7

click here for larger image

The last screen is an overview of the settings. Click Save to save the new external authentication record.

Note:
    To save any changes made to the External Authentication record requires going through all the pages of the record including the verification screen. The Save button is on the last page.

Step 8

click here for larger image

Click Save to display the External Authentication window. Ensure Enable External Authentication is checked. Click Save.

Step 12

Log out.

Step 13

Log in to ConsoleWorks using a PAM user id and password.

Note:
  • When attempting to log in with an existing ConsoleWorks user id, that user id must have Use External Authentication selected on the User page or the External Authentication assumed setting must be selected on the SECURITY: External Authentication page.
  • When attempting to log in with a Radius use id and password that does not have a corresponding ConsoleWorks user account, an account will be created based on the specified ConsoleWorks template User in the External Authentication record.

To Learn MoreRed Hat Link: Configuring SSSD and LDAP Page is subject to change by Red Hat at any time
Tags: 
External Authentication
External Auth
PAM
RHEL PAM