Open search page
Hello, I’m DocuDroid!
Open Ask AI page
Submitting feedback
Thank you for rating our AI Search!
We would be grateful if you could share your thoughts so we can improve our AI Search for you and other readers.
GitHub

PAM authentication

Andrey Aksenov

Pluggable authentication modules (PAM) allow applications to use different authentication methods through a single interface. Instead of contacting each authentication system directly, applications ask PAM to authenticate users. This enables switching or combining authentication methods without modifying the application code.

Access to a Greengage DB cluster can be managed using PAM to integrate with an external authentication system. A common choice is an LDAP directory, such as a FreeIPA server, which allows Greengage DB to use existing organizational accounts. This topic describes how to configure PAM-based LDAP authentication in Greengage DB.

Prerequisites

The following hosts and IPA domain parameters are used to illustrate the integration of a Greengage DB cluster with a FreeIPA server:

  • Master host: FQDN — mdw.example.com, operating system — Ubuntu.

  • FreeIPA host: name — ipa.example.com, FQDN — ipa.example.com, operating system — RHEL or CentOS.

  • Realm: EXAMPLE.COM.

Replace the host names, fully qualified domain names (FQDNs), and the realm name to match your environment.

NOTE

Different operating systems provide different LDAP authentication modules for PAM. This guide uses the libpam-ldapd package to configure PAM-based LDAP authentication on a Greengage DB master host running Ubuntu. On RHEL and CentOS systems, the sssd service is typically used instead.

Set up the FreeIPA server

Log in to the FreeIPA host as a user with superuser privileges:

$ ssh sampleuser@ipa.example.com

In this example, the user name is sampleuser.

Install FreeIPA packages

To install FreeIPA packages, execute the following command:

$ sudo yum install ipa-server

Configure the FreeIPA server

Execute the command below to configure the FreeIPA server non-interactively:

$ sudo ipa-server-install \
  --unattended \
  --hostname=ipa.example.com \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --ds-password=87654321 \
  --admin-password=12345678
IMPORTANT

It is not recommended to specify passwords as plain text when setting up a FreeIPA server non-interactively. As a safer alternative, you can load passwords from environment variables.

When the FreeIPA server configuration is finished, view the status of services using the ipactl status command:

$ sudo ipactl status

In particular, the output should show that the Directory, krb5kdc, and kadmin services are running:

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING

Create a FreeIPA user

Authenticate as admin

The admin user is created automatically to perform administrative activities. You need to authenticate as admin by running kinit:

$ kinit admin

When the following prompt is shown, enter the password specified in the admin-password option during the FreeIPA server configuration:

Password for admin@EXAMPLE.COM:

Create a regular user

Create a regular FreeIPA user using the ipa user-add command:

$ ipa user-add alice \
  --first=Alice \
  --last=Johnson \
  --password

Enter the desired password and press Enter when these prompts are shown:

Password:
Enter Password again to verify:

The result should look as follows:

------------------
Added user "alice"
------------------
  User login: alice
  First name: Alice
  Last name: Johnson
  Full name: Alice Johnson
  Display name: Alice Johnson
  Initials: AJ
  Home directory: /home/alice
  GECOS: Alice Johnson
  Login shell: /bin/sh
  Principal name: alice@EXAMPLE.COM
  Principal alias: alice@EXAMPLE.COM
  User password expiration: 20250109101949Z
  Email address: alice@example.com
  UID: 1389000001
  GID: 1389000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Set up the Greengage DB master

Install a PAM LDAP package

  1. Log in to the master host as a user with sudo privileges.

  2. Update the package index on your system:

    $ sudo apt update

  3. Install the libpam-ldapd package:

    $ sudo apt install libpam-ldapd

  4. During installation, several configuration dialog boxes appear. Specify the following required parameters:

    • LDAP server URI — the URI of the LDAP server, for example: ldap://ipa.example.com/.

    • LDAP server search base — the base DN for LDAP searches, for example: dc=example,dc=com.

    For all other dialog boxes, accept the default settings.

Configure nslcd

The nslcd daemon is installed as part of the libpam-ldapd package and provides NSS and PAM authentication services using LDAP. Configure nslcd to connect to your LDAP server so that PAM can authenticate Greengage DB users.

  1. Open the /etc/nslcd.conf configuration file for editing:

    $ sudo vi /etc/nslcd.conf

    An example configuration is shown below:

    # ...
# The location at which the LDAP server(s) should be reachable.
uri ldap://ipa.example.com/

# The search base that will be used for all queries.
base dc=example,dc=com
# ...

    The values of the uri and base options are set automatically based on the information provided during the libpam-ldapd installation.

  2. If you modify the file, save your changes and restart the nslcd service:

    $ sudo systemctl restart nslcd

Create the PAM service configuration file

After configuring nslcd, create the /etc/pam.d/greengagedb file to define the PAM service for Greengage DB. This enables LDAP-based user authentication via PAM.

  1. Create the /etc/pam.d/greengagedb file:

    $ sudo vi /etc/pam.d/greengagedb

  2. Add the following lines to the file:

    auth        required      pam_ldap.so
account     sufficient    pam_ldap.so

    Save and close the file.

Create Greengage DB roles

  1. Switch to the gpadmin user:

    $ sudo su - gpadmin

  2. Create the ldap_users Greengage DB role:

    $ createuser ldap_users --no-login

  3. Create the alice user and make it a member of the ldap_users group:

    $ createuser alice --role=ldap_users

    Note that the Greengage DB user name should match the FreeIPA user name.

Enable PAM authentication in Greengage DB

  1. Open the pg_hba.conf file for editing:

    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf

  2. Add the following line to this file:

    # connection-type  database  user         address  auth-method  auth-options
host               postgres  +ldap_users  samenet  pam          pamservice=greengagedb

    This configuration lets users from the ldap_users group access the postgres database using PAM authentication (auth-method is pam). The pamservice option specifies the PAM service that Greengage DB should use, as defined previously in /etc/pam.d/greengagedb.

  3. Reload the configuration to apply the changes:

    $ gpstop -u

Connect to a database

This section describes connecting to a database protected by PAM authentication using psql. Perform the following steps on the master host.

  1. Connect to the default postgres database under the alice role using psql:

    $ psql postgres -U alice -h mdw.example.com

  2. Enter the password for the alice FreeIPA user and press Enter:

    Password for user alice:

    The output should look like this:

    psql (9.4.26)
Type "help" for help.

postgres=>

  3. Select the current user name:

    SELECT current_user;

    The command should return the following:

     current_user
---------------
 alice
Previous
Ident
Next
Encryption of database connections