Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2212: PAM integration with Centrify DirectControl agent

Authentication Service ,  

12 April,16 at 10:59 AM

Applies to: Centrify DirectControl 4.0 and above.
If an application supports PAM, how does one configure Centrify to work with the same?
Pluggable Authentication Modules (PAM) are a common mechanism for configuring
authentication and authorization used by many UNIX programs and applications. If a
program or application uses PAM for authentication and authorization, the rules for
authenticating the user are configured in either the PAM configuration file, /etc/pam.conf
or in application-specific files in the /etc/pam.d directory.
Centrify DirectControl includes its own Pluggable Authentication Module
(pam_centrifydc) that enables any application that uses PAM, such as ftpd, telnetd,
login, and Apache, to authenticate users through Active Directory. When you join a
domain, the pam_centrifydc module is automatically placed first in the PAM stack in
system-auth, so that it takes precedence over other authentication modules.
Below are the generic instructions which can be used for any PAM supported application to go through DirectControl PAM libraries. Please note that its the vendor's (and not Centrify) responsibility to enable the application for PAM. Centrify support can provide instructions on how to modify the PAM files as mentioned below.
If an application requires a separate pam service file, then do create one under /etc/pam.d/<filename> and copy the below contents. Note some linux versions use 
system-auth and others common-auth. So do check before you start implementing it. 
system-auth/common-auth already have entries for Centrify DirectControl PAM libraries. 
auth include system-auth 
account include system-auth 
session include system-auth 
auth required nullok 
account required 
session required 
If the application is directly using /etc/pam.d/system-auth then there is NO additional configuration needed. 
If an app requires a separate PAM service name, then copy the below lines 
login auth sufficient unix_cred 
login auth requisite deny 
and paste them just before the below in /etc/pam.conf 
other auth sufficient unix_cred 
other auth requisite deny 
Do replace "login" with the PAM service name that's required by an application. If app can use "other" pam service then none of the above configuration is needed. As always, restart the pam-enabled application in question.
Please also see the below link which show the above steps to enable an application called Webmin to work with Centrify DirectControl. Same concept holds good for any other 
PAM-enabled application.