Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2212: PAM integration with Centrify DirectControl agent

Authentication Service ,  

12 April,16 at 10:59 AM

Applies to: Centrify DirectControl 4.0 and above.
 
Question:
If an application supports PAM, how does one configure Centrify to work with the same?
 
Answer:
Pluggable Authentication Modules (PAM) are a common mechanism for configuring
authentication and authorization used by many UNIX programs and applications. If a
program or application uses PAM for authentication and authorization, the rules for
authenticating the user are configured in either the PAM configuration file, /etc/pam.conf
or in application-specific files in the /etc/pam.d directory.
 
Centrify DirectControl includes its own Pluggable Authentication Module
(pam_centrifydc) that enables any application that uses PAM, such as ftpd, telnetd,
login, and Apache, to authenticate users through Active Directory. When you join a
domain, the pam_centrifydc module is automatically placed first in the PAM stack in
system-auth, so that it takes precedence over other authentication modules.
 
Below are the generic instructions which can be used for any PAM supported application to go through DirectControl PAM libraries. Please note that its the vendor's (and not Centrify) responsibility to enable the application for PAM. Centrify support can provide instructions on how to modify the PAM files as mentioned below.
 
Linux: 
 
If an application requires a separate pam service file, then do create one under /etc/pam.d/<filename> and copy the below contents. Note some linux versions use 
system-auth and others common-auth. So do check before you start implementing it. 
system-auth/common-auth already have entries for Centrify DirectControl PAM libraries. 
 
#%PAM-1.0 
auth include system-auth 
account include system-auth 
session include system-auth 
 
auth required pam_unix.so nullok 
account required pam_unix.so 
session required pam_unix.so 
 
If the application is directly using /etc/pam.d/system-auth then there is NO additional configuration needed. 
 
UNIX: 
 
If an app requires a separate PAM service name, then copy the below lines 
 
login auth sufficient pam_centrifydc.so unix_cred 
login auth requisite pam_centrifydc.so deny 
 
and paste them just before the below in /etc/pam.conf 
 
other auth sufficient pam_centrifydc.so unix_cred 
other auth requisite pam_centrifydc.so deny 
 
Do replace "login" with the PAM service name that's required by an application. If app can use "other" pam service then none of the above configuration is needed. As always, restart the pam-enabled application in question.
 
Please also see the below link which show the above steps to enable an application called Webmin to work with Centrify DirectControl. Same concept holds good for any other 
PAM-enabled application.
 
 
 
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleIntegration of legacy platforms with Centrify Server Suite - agentless integration w/LDAP part 1 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleIntegration of legacy platforms with Centrify Server Suite - agentless integration w/LDAP part 3 articleIntegrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III articleIntegration of legacy platforms with Centrify Server Suite articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD?