Authentication With PAM

Table of Contents

Uyuni supports network-based authentication systems using pluggable authentication modules (PAM) using SSSD. PAM is a suite of libraries that allows you to integrate Uyuni with a centralized authentication mechanism, eliminating the need to remember multiple passwords. Uyuni supports LDAP, Kerberos, and other network-based authentication protocols.

1. SSSD Configuration

Procedure: Configuring SSSD

  1. In the Uyuni Web UI, navigate to Users  Create User and enable a new or existing user to authenticate with PAM.

    In usernames, additionally to alphanumeric characters, -, _, ., and @ are allowed.

  2. Check the Pluggable Authentication Modules (PAM) checkbox.

  3. Configure SSSD in the container. Connect inside the container using:

    mgrctl term

    Then change the file

    /etc/sssd/sssd.conf

  4. Set krb5_keytab in domain/$domain to /etc/sssd/krb5.keytab

  5. Restart Uyuni using:

    mgradm restart

Changing the password in the Uyuni Web UI changes only the local password on the Uyuni Server. If PAM is enabled for that user, the local password might not be used at all. In the above example, for instance, the Kerberos password is not changed. Use the password change mechanism of your network service to change the password for these users.

For more information about configuring PAM, the SUSE Linux Enterprise Server Security Guide contains a generic example that also works for other network-based authentication methods. It also describes how to configure an active directory service. For more information, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/part-auth.html.