Child pages
  • Pam Authentication through JPam

This space has moved to IU's Confluence.
It is located at https://uisapp2.iu.edu/confluence-prd/display/iulV3/

Skip to end of metadata
Go to start of metadata

Pam Authentication through JPam

Contents

Pam

Pam stands for Pluggable Authentication Modules and is used pervasively on *nix systems. A multitude of Pam modules have been written including LDAP, POP, IMAP, KRB5, CAS, and Radius.

For more information about Pam visit:
http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules
http://www.kernel.org/pub/linux/libs/pam/

JPam

JPam is a small JNI wrapper around Pam released under an Apache License. It is released as a jar, a library file, and a Pam configuration file. The jar needs to be included on the classpath, the library file needs to be in java.library.path, and the Pam configuration file in /etc/pam.d/.

Only auth and account need to be present in the pam.d configuration file for JPam to work properly.

For more information about JPam visit:
http://jpam.sf.net

Installing JPam

The current version of JPam (1.1) can cause the JVM to hang or crash if a user's password has expired.
See http://sourceforge.net/project/shownotes.php?group_id=116930&release_id=514437 for more information.

If you are experiencing problems getting libjpam.so to load, try building it for 32-bit (i386) instead of 64-bit.

Dependencies:

  • Pam-devel
    • Install Pam-devel by running: up2date -i pam-devel

Installation Steps:

  1. Download the newest version of JPam for your architecture from http://sourceforge.net/project/showfiles.php?group_id=116930.
  2. Unpack the gzipped tar: tar xvfz JPam-Linux_i386-1.1.tgz
  3. Move into the JPam directory that was unpacked: cd JPam-1.1
  4. Unpack the src zip file: unzip JPam-1.1-src.zip
  5. Move into the java subdirectory of the newly expanded JPam directory: cd JPam-1.1/java/
  6. Compile JPam: javac -classpath /home/dmlserv/lib/commons-logging-1.1.jar net/sf/jpam/*.java net/sf/jpam/jaas/*.java
  7. Create a jar of JPam: jar cvf JPam-1.1.jar net/sf/jpam/* net/sf/jpam/jaas/*
  8. Copy this jar to the Variations library directory: cp JPam-1.1.jar /home/dmlserv/lib/
  9. Generate a C header file from the Pam java class: javah net.sf.jpam.Pam
  10. Copy the header file to the C src directory: cp net_sf_jpam_Pam.h ../c/
  11. Move into the C src directory: cd ../c/
  12. Compile the native JPam library: make <target>
    • The possible build targets are for different architectures and are listed in makefile
  13. If the jni and jni/Linux subdirectories do not exist, create them: mkdir -p /home/dmlserv/lib/jni/Linux
  14. Copy libjpam.so to jni library directory: cp libjpam.so /home/dmlserv/lib/jni/Linux/
  15. Edit and copy the appropriate config file to system location (as root): cp ../config/Linux_x86/net-sf-jpam /etc/pam.d/variations
    • If using pam_unix you will need to change /etc/shadow to be readable by the user executing Jpam.
    • There are a number of options under the config directory for different system architectures.

JPam in Variations

To use the JPam authentication scheme, you need to include the following line in dmlserver.xml:

<AuthenticationScheme protocol="pam">iu.edu</AuthenticationScheme>

The realm specified in this AuthenticationScheme element is only used for constructing the Variations username and is not used within the pam authentication process.

Once the Variations server has been restarted with the pam authentication scheme added, clients can authenticate using it by changing dml.login.protocol to pam in dml.conf.

Adjusting the modules used for JPam authentication is done in /etc/pam.d/variations, the default is Unix authentication.

  • No labels