PAMAuthentificator

Description

The PAMAuthentificator is responsible for For user - password authentication the cell may use For user meta data mapping the cell supports

Startup sequence

  create diskCacheV111.admin.PAMAuthentificator pam \
            "default \
             -syspassword=<fullPath to sys password file> \
             -dcachepassword=<fullPath to sys password file> \
             -users=<user map method> \
             -provider=<user metadata provider> \
             -external=<Full path of binary> \
             -service=<PAM service name> \
             <OPTIONS>

Options

Option Class Values Description
syspassword Authentication Full Filepath Local file name providing /etc/shadow syntax
dcachepassword Authentication Full Filepath Local file name providing /etc/shadow syntax
service Authentication Name of PAM service -
external Authentication Full filepath Full path of binary doing the authentication
provider User Mapping FQ classname Class name of the user mapping provider
users User Mapping Mapping method Access method file|nis|ldap|class
file:<FullPathName>
nis:<nisServer URL>
class:<userMappingClass>

PAM Authentication

To make use of PAM authentication the cell expects to find the libpam4java.so shared object in the /.../d-cache/lib directory. The server option specifies the PAM service to use for authentication. If not specified, dcache will be used. If loading of the shared object fails, or using the PAM mechanism fails for any other reason, or the user password pair doesn't match regarding to the chosen PAM service, the cell will silently switch to password file authentication.
PAM and External Authentication are mutual exclusive.

External Authentication

If the external option points to an executable script or binary, the cell assumes that the authentication should be done by this external program instead of using the PAM mechanism. The external program is started and terminated together with the cell. For each authentication request the cell sends the following line to the standard input of the external program.
 check <serviceName> <userName> <Password>
The external program is assumed to return the string true or false depending of whether the password match succeeds or fails. PAM and External Authentication are mutual exclusive.

Password file Authentication

In case the PAM or External Authentication fails for whatever reason, the cell silently switches to Password File Authentication. The cell supports two different password files, the syspassword and the dcachepassword file.
The syspassword file is checked first. If the user is found and the password matches, access is granted. If the user exists and the password doesn't match, access is denied. If the user is not found in the syspassword file the cell switches to the dcachepassword file. There is no need to specify both password files if not required.

Currently we don't support md5 encrypted passwords.

User Meta data queries

The cell resolves usernames into user meta data (uid, gid, home directory and shell). It's able to use NIS, LDAP /etc/passwd like files and an external class.
The settings for the various provider types are : In case of an user provided class, this class needs to implement the diskCacheV111.admin.UserMetaDataProvider interface. In addition, this class must at least provide a contructor with the signature <init>( CellAdapter cell ). See diskCacheV111.admin.UserMetaDataProviderExample for details.

Command set

Command Description Provider Type
check auth <username> <password> checks user authentication mechanism *
check meta <username> gets user meta data *
   
user map ls lists all cached user mappings NIS
user map remove <username> removes a user from the user mapping cache NIS
user map reset removes all users from the user mapping cache NIS
user map add <userName> <uid> <gid> [<home> [<shell>]] removes all users from the user mapping cache NIS

Examples

Example 1
create diskCacheV111.admin.PAMAuthentificator pam \
        "default  \
         -syspassword=/etc/shadow  \
         -dcachepassword=${config}/passwd \
         -users=nis://nisserv6.desy.de/desy.afs"
Example 2
   create diskCacheV111.admin.PAMAuthentificator pam \
           "default  \
            -syspassword=/etc/shadow  \
            -dcachepassword=/usr/d-cache/passwd \
            -users=file:/etc/passwd"
   
Example 3
   create diskCacheV111.admin.PAMAuthentificator pam \
           "default  \
            -syspassword=/etc/shadow  \
            -dcachepassword=/usr/d-cache/passwd \
            -users=class:diskCacheV111.admin.UserMetaDataProviderExample"
   

Author : Patrick Fuhrmann (Patrick.Fuhrmann@desy.de) $Id: m-PAMAuthentificator.html,v 1.1 2005/04/29 12:39:00 patrick Exp $