Chapter 6. Authentication

Procedure 6.1. Configuring Red Hat Satellite to use PAM

1. Set the allow_httpd_mod_auth_pam SELinux boolean to on:

   # setsebool -P allow_httpd_mod_auth_pam 1

2. Open the /etc/rhn/rhn.conf file in your preferred text editor, and add the following line:

   pam_auth_service = rhn-satellite

   Create a PAM service file in the /etc/pam.d/ directory:

   # touch /etc/pam.d/rhn-satellite

3. Edit the file and add one of the following, depending on your authentication method:

   Example 6.1. SSSD Authentication

   #%PAM-1.0
   auth        required      pam_env.so
   auth        sufficient    pam_sss.so
   auth        required      pam_deny.so
   account     sufficient    pam_sss.so
   account     required      pam_deny.so
   

   Example 6.2. Kerberos Authentication

   #%PAM-1.0
   auth        required      pam_env.so
   auth        sufficient    pam_krb5.so no_user_check
   auth        required      pam_deny.so
   account     required      pam_krb5.so no_user_check
   

   Example 6.3. LDAP Authentication

   #%PAM-1.0
   auth          required      pam_env.so
   auth          sufficient    pam_ldap.so no_user_check
   auth          required      pam_deny.so
   account       required      pam_ldap.so no_user_check
   

   For more detail about configuring PAM, see the Pluggable Authentication Modules (PAM) in the Red Hat Enterprise Linux Deployment Guide.

   Note

   For Kerberos-authenticating users, change the password by using kpasswd. Do not change the password on Red Hat Satellite web application as this method only changes the local password on the Satellite server. Local passwords are not in use if PAM is enabled for that user.
4. Restart the service to pick up the changes:

   # rhn-satellite restart
   

5. To enable a user to authenticate against PAM, select the checkbox labeled Pluggable Authentication Modules (PAM). It is positioned below the password and password confirmation fields on the Create User page.