Can OOD auth be handled by PAM?

@arashnh11 I think this topic may be the only documentation on it. Feel free to open another topic and post logs (you can obsfucate the users/hostsnames). I’m unfamiliar with winbind, but logs & configs may help us pin down the problem.

Hi,
I’m RC from the Stanford Research Computing Center.

I used mod_authnz_pam instead of mod_authnz_external and pwauth. In our earth science configuration, we use authentication through the campus kerberos, and a local ldap server with our user accounts available.

This is how I got it to work for the earth sciences cluster, mazama, which uses CentOS 7.8:

I first installed all the pam module packages I could. You could use the pwauth pam module, but I have found it to be slow compared to other modules on the system.
yum -y install mod_authnz_pam mod_authnz_external pwauth

Next copy the files over the the chroot directory where httpd24, for OOD, lives:
cp /etc/httpd/conf.modules.d/55-authnz_pam.conf /opt/rh/httpd24/root/etc/httpd/conf.modules.d/
cp /etc/httpd/conf.d/authnz_pam.conf /opt/rh/httpd24/root/etc/httpd/conf.d/
cp /usr/lib64/httpd/modules/mod_authnz_pam.so /opt/rh/httpd24/root/usr/lib64/httpd/modules/

Now we need to edit the copied module config files, and uncomment one line:
nano /opt/rh/httpd24/root/etc/httpd/conf.modules.d/55-authnz_pam.conf #edit the one line here

change:
#LoadModule authnz_pam_module modules/mod_authnz_pam.so
to this:
LoadModule authnz_pam_module modules/mod_authnz_pam.so

Next we edit the the ood_portal yaml file:
nano /etc/ood/config/ood_portal.yml

This is it for the auth section:

auth:
- 'AuthType Basic'
- 'AuthName "ood-webapp-priv"'
- 'AuthBasicProvider PAM'
- 'AuthPAMService ood-webapp'
- 'Require valid-user'

Now for the name of what we declared as the PAM module in “AuthPAMService”, we copy the sshd pam module as the name declared in the /etc/pam.d folder.
cp /etc/pam.d/sshd /etc/pam.d/ood-webapp #copy an already great functioning pam module

I have found the sshd PAM module to be much faster than doing something similar to pwauth, which just uses the password-auth PAM modules.

Next restart the services:

/opt/ood/ood-portal-generator/sbin/update_ood_portal
systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service

And test!

I hope this helps!

1 Like