Applies to: Centrify DirectControl 4.0 and above.
Question:
If an application supports PAM, how does one configure Centrify to work with the same?
Answer:
Pluggable Authentication Modules (PAM) are a common mechanism for configuring
authentication and authorization used by many UNIX programs and applications. If a
program or application uses PAM for authentication and authorization, the rules for
authenticating the user are configured in either the PAM configuration file, /etc/pam.conf
or in application-specific files in the /etc/pam.d directory.
Centrify DirectControl includes its own Pluggable Authentication Module
(pam_centrifydc) that enables any application that uses PAM, such as ftpd, telnetd,
login, and Apache, to authenticate users through Active Directory. When you join a
domain, the pam_centrifydc module is automatically placed first in the PAM stack in
system-auth, so that it takes precedence over other authentication modules.
Below are the generic instructions which can be used for any PAM supported application to go through DirectControl PAM libraries. Please note that its the vendor's (and not Centrify) responsibility to enable the application for PAM. Centrify support can provide instructions on how to modify the PAM files as mentioned below.
Linux:
If an application requires a separate pam service file, then do create one under /etc/pam.d/<filename> and copy the below contents. Note some linux versions use
system-auth and others common-auth. So do check before you start implementing it.
system-auth/common-auth already have entries for Centrify DirectControl PAM libraries.
#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
If the application is directly using /etc/pam.d/system-auth then there is NO additional configuration needed.
UNIX:
If an app requires a separate PAM service name, then copy the below lines
login auth sufficient pam_centrifydc.so unix_cred
login auth requisite pam_centrifydc.so deny
and paste them just before the below in /etc/pam.conf
other auth sufficient pam_centrifydc.so unix_cred
other auth requisite pam_centrifydc.so deny
Do replace "login" with the PAM service name that's required by an application. If app can use "other" pam service then none of the above configuration is needed. As always, restart the pam-enabled application in question.
Please also see the below link which show the above steps to enable an application called Webmin to work with Centrify DirectControl. Same concept holds good for any other
PAM-enabled application.