Authentication With PAM

Uyuni supports network-based authentication systems using pluggable authentication modules (PAM). PAM is a suite of libraries that allows you to integrate Uyuni with a centralized authentication mechanism, eliminating the need to remember multiple passwords. Uyuni supports LDAP, Kerberos, and other network-based authentication systems using PAM.

Procedure: Enabling PAM
  1. Create a PAM service file at /etc/pam.d/susemanager. A standard /etc/pam.d/susemanager file should look like this. It configures Uyuni to use the system wide PAM configuration:

    auth     include        common-auth
    account  include        common-account
    password include        common-password
    session  include        common-session
  2. Enforce the use of the service file by adding this line to /etc/rhn/rhn.conf:

    pam_auth_service = susemanager

    In this example, the PAM service file is called susemanager.

  3. Restart the Uyuni services after a configuration change.

  4. In the Uyuni Web UI, navigate to Users  Create User and enable a new or existing user to authenticate with PAM.

  5. Check the Pluggable Authentication Modules (PAM) checkbox. It is below the password and password confirmation fields.

Changing the password in the Uyuni Web UI changes only the local password on the Uyuni Server. If PAM is enabled for that user, the local password might not be used at all. In the above example, for instance, the Kerberos password will not be changed. Use the password change mechanism of your network service to change the password for these users.

To configure system-wide authentication you can use YaST. You will need to install the yast2-ldap-client and yast2-kerberos-client packages.

For more information about configuring PAM, the SUSE Linux Enterprise Server Security Guide contains a generic example that will also work for other network-based authentication methods. It also describes how to configure an active directory service. For more information, see