Loading...
 

AuthPAMAdmin

Admin Documentation

AuthPAMOld configuration is very simple once you've met all the requirements (only a few). Once met you just have to go to the Login section of TikiAdmin.
There will be a nice option onto 'Method' called 'Tiki and PAM' (which you should select if you plan to use it!). Then at the bottom of the screen there are a
few options for AuthPAM. You can see:

  • Create user if not in Tiki?: Check this if you want Tiki to add users authenticated through PAM but who are not onto it's internal database.
  • Use tiki for admin only?: That's to make tiki authenticate 'admin' user with it's internal system nor PAM, if you don't select that you'll have to add a system user called 'admin'.
  • PAM Service (currently unused): Here you should specify which pam service should Tiki authenticate against but these is now disabled due a lack of the auth_pam php module.


Notes

Requirements for AuthPAM

AuthPAMOld has a small requirement that must be met in order to work, you need pam_auth php module. I've seen it's on some Linux distributions but not on all.
On the main page AuthPAM Link's section you can get the link to the author's home to get the module and compile it if your distribution doesn't include a binary package.

After compilling and installing the module as stated in it's documentation you have to create a PAM service for Tiki (normally at /etc/pam.d).

Then just jump onto Tikiwiki and setup PAM there.

Permissions!

Take care of file permissions, remember that php runs with apache privileges, normally a normal user account like www-data or so. If you plan to use PAM
against your system's users and your system uses shadowed password you should remember that /etc/shadow is only readable by root, so php won't be able to read it,
(the PAM library runs with the calling user privileges) so you'll have to workaround it, maybe letting your webserver's user read shadow file or so.

I'd be glad of any suggestions on that point

Security Issues

With a default PAM service any account will be granted (try user: nobody razz ) so here are a few things to take care about that:

I recomend you to make use of pam_require module to require a specific group to be in for the user. Also you can take a look at PAM Modules at kernel.org to refine a bit more your pam service for tiki.

Also take note that pam only receive a user/pass pair and checks it, it relays on your web server settings to handle a secure transaction of that pair from the browser to the server, I recommend SSL razz

Thanks damian for advising me that two things.

Knowledgebase / tutorial / FAQ / How-to


TikiTeam

Who is working here generally? Link UserPage.

For more information

Page last modified on Wednesday 21 April 2004 21:01:51 GMT-0000

Upcoming Events

No records to display

Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.