How to configure PAM to authenticate against NIS

Asked by Hiteshbhai on 2012-11-13

How can I use PAM plugin to authenticate against NIS server?

Question information

Language:
English Edit question
Status:
Solved
For:
PHPDevShell Edit question
Assignee:
No assignee Edit question
Solved by:
Hiteshbhai
Solved:
2012-11-20
Last query:
2012-11-20
Last reply:
2012-11-14
Greg (gregfr) said : #1

Hello

As far as I know, there's no PAM plugin. Is your question related to PHPDevShell?

greg

Hiteshbhai (hiteshbhai-patel) said : #2

Hi Greg,
  We are using PluggableAuth module, that has AUTH_ldap class to go against LDAP but I couldn't find anything for NIS.

Hiteshbhai (hiteshbhai-patel) said : #3

thanks,
 we got it working using Pluggable authentication module (PAM).

Greg (gregfr) said : #4

That's great! how did you do it? would you consider contributing your code to the project?

Hiteshbhai (hiteshbhai-patel) said : #5

Greg,
  Here is a brief description of entire setup..

Step 1: Install and configure Linux-PAM module..

   Underneath we used Linux-PAM module. In short PAM provides abstraction to the authentication mechanism.

    Here is how to install and configure PAM...

      http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html

      You can configure it use local, nis or ldap to authenticate.

Step 2: Install and configure php-pam module to integrate with Linux-PAM.

           http://pecl.php.net/package/PAM

           Add below php.ini config entries..

            pam.servicename=php
            extension=/usr/lib64/php/modules/pam.so (Basically, path to your installed pam.so lib)

            create /etc/pam.d/php file and add below entries
               #%PAM-1.0
               auth required pam_unix.so

Step 3: From PHP you can use below method to authenticate..

        $error = "";
        $checkacctmgmt = false;

       $result = pam_auth($username, $password, $error, $checkacctmgmt);

     with respect to phpdevshell/PluggableAuth it's very similar to AUTH_ldap.class.php just use above method to authenticate.

  Issues:
       However, above method works, there are some issues with it.. in some linux versions with respect to NIS the request should go to the NIS server as root user.
     With Apache http server the problem is... you can not run apache as root, it runs as apache, which requires some kind of modification at NIS server. Or the machine running apache should be configured as NIS slave server and apache should send request to local NIS slave server.

      Also in order to authenticate against local /etc/passwd , 'apache' should be added to the /etc/shadow 'shadow' group..

Greg (gregfr) said : #6

Thanks!