| Prev | Next |
Table of Contents
...
Installing AOLserver LDAP support.�Forthcoming. (more information)
Install auth-ldap OpenACS service package.�Install auth-ldap and restart the server.
OpenACS supports PAM authetication via the ns_pam module in AOLserver.
Add PAM support to AOLserver.�OpenACS supports PAM support via the PAM AOLserver + module. PAM is system of modular support, and can provide + local (unix password), RADIUS, LDAP (more + information), and other forms of + authentication. Note that due to security issues, the + AOLserver PAM module cannot be used for local password + authentication.
Compile and install ns_pam.�Download the tarball to + /tmp.
Debian users: first do apt-get install libpam-dev
[root@yourserver root]# cd /usr/local/src/aolserver
+[root@yourserver aolserver]# tar xzf /tmp/ns_pam-0.1.tar.gz
+[root@yourserver aolserver]# cd nspam
+[root@yourserver nspam]# make
+gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1
+ -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1
+ -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o nspam.o nspam.c
+nspam.c: In function `PamCmd':
+nspam.c:107: warning: implicit declaration of function `Tcl_SetObjResult'
+nspam.c:107: warning: implicit declaration of function `Tcl_NewIntObj'
+gcc -I/usr/include/pam -I/usr/local/aolserver/include -D_REENTRANT=1
+ -DNDEBUG=1 -g -fPIC -Wall -Wno-unused -mcpu=i686 -DHAVE_CMMSG=1
+ -DUSE_FIONREAD=1 -DHAVE_COND_EINTR=1 -c -o pam_support.o pam_support.c
+/bin/rm -f nspam.so
+gcc -shared -nostartfiles -o nspam.so nspam.o pam_support.o -lpam
+[root@yourserver nspam]# cp nspam.o /usr/local/aolserver/bin
+[root@yourserver nspam]#
+cd /usr/local/src/aolserver
+tar xzf /tmp/ns_pam-0.1.tar.gz
+cd nspam
+make
+cp nspam.so /usr/local/aolserver/binSet up a PAM domain.�A PAM domain is a set of rules for granting + privileges based on other programs. Each instance of + AOLserver uses a domain; different aolserver instances + can use the same domain but one AOLserver instance + cannot use two domains. The domain describes + which intermediate programs will be used to check + permissions. You may need to install software to + perform new types of authentication. +
RADIUS in PAM.�
Untar the pam_radius + tarball and compile and install. (more + information)
[root@yourserver root]# cd /usr/local/src/
+[root@yourserver src]# tar xf /tmp/pam_radius-1.3.16.tar
+[root@yourserver src]# cd pam_radius-1.3.16
+[root@yourserver pam_radius-1.3.16]# make
+cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
+cc -Wall -fPIC -c -o md5.o md5.c
+ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+[root@yourserver pam_radius-1.3.16]# cp pam_radius_auth.so /lib/security/pam_radius_auth.so
+[root@yourserver pam_radius-1.3.16]#
+cd /usr/local/src/
+tar xf /tmp/pam_radius-1.3.16.tar
+cd pam_radius-1.3.16
+make
+cp pam_radius_auth.so /lib/security/pam_radius_auth.soDebian users: apt-get install libpam-radius-auth
Set up the PAM domain by creating the file + /etc/pam.d/service0 + with these contents:
auth sufficient /lib/security/pam_radius_auth.so +
Modify the AOLserver configuration file to use + this PAM domain. Edit the line
ns_param PamDomain "service0"So that the value of the parameter matches the name (just the file name, not the fully pathed name) of the domain file in
/etc/pam.d/
LDAP in PAM.�more information
Modify the AOLserver configuration file to support ns_pam.�
In + /var/lib/aolserver/service0/etc/config.tcl, enable the nspam module by uncommenting this line:
ns_param nspam ${bindir}/nspam.soInstall auth-pam OpenACS service package.�Install auth-pam and restart the server.
Create an OpenACS authority.�OpenACS supports multiple authentication authorities. + The OpenACS server itself is the "Local Authority," used by + default.
Browse to the authentication administration page, + http://yourserver/acs-admin/auth/. + Create and name an authority (in the sitewide admin UI)
Set Authentication to PAM.
If the PAM module contains a password command, you can set Password Management to PAM. If not, the PAM module cannot change the user's password and you should leave this option Disabled.
Leave Account Registration disabed.
Set Batch sync enabled to Yes. Set GetDocumentImplementation to HTTP GET. Set ProcessDocumentImplementation to IMS Enterprise 1.1. These settings will cause OpenACS to attempt to retrieve via HTTP a list of users in XML format from a location we will specify in a few steps.
Click OK.
On the next page, click Configure on the GetDocument Implementation line.
Enter the IncrementalURL and SnapshotURL. These are the URLs which the external Authority will supply with XML files in IMS Enterprise 1.1 format.
Configure your Authority (RADIUS server, etc) to supply XML files to the URLs IncrementalURL and SnapshotURL
Table of Contents