Skip to content Skip to site navigation

PAM Access Control

Configuring PAM to Use Stanford's Directory Service

The use of Pluggable Authentication Modules was first described by Sun Microsystems in 1995.  The specification added an abstraction layer to Unix authentication that allows the multiple authentication sources to be used to control access to the system.

At Stanford the central authentication service is Kerberos.  Setting up a system to use the Kerberos service is straight forward, but Kerberos does not provide authorization services.  In other words Kerberos provides assurance that a user is who they claim to be, but does not provide any information about whether the user has access to a resource or not.  This document describes configuring PAM to use Kerberos and LDAP to control access to systems with Kerberos authentication and Stanford Workgroup Authorization on Red Hat and Debian systems.

On Debian systems the libpam-ldapd and libnss-ldapd packages support pulling account information from an LDAP server using Kerberos credentials. This makes the setup for Debian/Ubuntu systems straight forward. See Configuring Debian PAM/NSS to Use LDAP for step by step instructions.

On Red Hat systems the PAM/NSS LDAP packages do not support Kerberos binds to the directory. The simplest way to work around this problem is to install a local OpenLDAP proxy server which makes the Kerberos bind to the central directory service and allows anonymous binds to the proxy for local clients. See Configuring Red Hat PAM/NSS to Use LDAP for step by step instructions.

Note, to query the central directory service for entries in a specific Workgroup requires approval from the Data Owners. See Requesting Access for instructions on the access request process.

Last modified December 9, 2015