CP+ 2.x Documentation Admin Guide  

PAM Services

PAM stands for Pluggable Authentication Modules. It allows you to "plug in" new authentication technologies without changing system entry services, such as login, ftp, telnet, etc.

PAM has a pluggable, modular architecture, which grants the system administrator a great deal of flexibility in setting authentication policies for the system.

CP+ admin panel allows you to create PAM services and PAM modules.

 

Creating PAM service

To add a PAM service:

  1. Select the System Administration CP+ mode and in the Server Management section click the PAM Authentication icon. The following page will show:

  2. Click Add a new PAM service link on the PAM Authentication page.
  3. Fill the form that shows:

    • Enter your PAM Service name;
    • Add Description if necessary. It will show in the list of existing PAM services;
    • Initial PAM Modules: you can choose None, Unix authentication modules or set Deny all access.
  4. Click the Create button to save settings.

You can remove PAM service by clicking the Delete PAM Service button on the service details page.

 

Adding PAM modules

To add modules to existing PAM service:

  1. Choose necessary PAM service listed on the PAM Authentication page. You will see the PAM Service details page:

  2. You can create modules in the following four module types:
    • Authentication module type provides two aspects of authenticating the user: identifies and authenticates the users and grants group membership.
    • Account module verifies that access is allowed. For example, it can check if a user account is expired or is allowed to log in at a particular time of day.
    • Session module configures and manages user sessions and performs additional tasks like mounting user's home directory and making the user's mailbox available.
    • Password module set and verify passwords.
  3. Choose module from the drop-down box for the necessary module type and click the Add step for button and you will see the following page.

    4. Service name: shows the name of the chosen service;
    Use in service: indicates the module type;
    PAM module: shows the module you have chosen to add;
    Failure level: all PAM modules generate a success or failure result when called. Failure level is determined by the following control flags:
    - Required: the module result must be successful for authentication to continue. If result fails, the user is not notified until results on all modules are completed.
    - Requisite: the module result must be successful for authentication to continue. If result fails, the user is notified with a message about the first failed required or requisite module.
    - Sufficient: the module result is ignored if it fails. If the result is successful and no required flagged modules above it have failed, then the user is authenticated to the service.
    - Optional: the module result is ignored if it fails. If the module result is successful, it does effect the overall success or failure for the module interface.

    Module arguments are usually optional. Other fields depend on the module you are creating.

  4. Click Save to create the PAM module.

If there are more than 2 modules for one module type, you can move up and down them according to their importance.
Home   Features   Pricing   Resellers   Docs   News   Contact
© Copyright 1998-2006. Positive Software Corporation.
All rights reserved.
Disclaimer