A PAM account module that evaluates HBAC rules stored on an IPA server.
Before using pam_hbac, please make sure you really need it. If possible, please use SSSD! pam_hbac is meant as a fall-back solution for platforms where SSSD can't be installed.
pam_hbac was tested on the following operating systems and releases:
- Linux (RHEL-5 and newer)
- I tested RHEL-5 and newer Red Hat based distributions. Ubuntu is used as a CI platform, but no functional testing was done there.
To build it, make sure the dependencies are installed. Except the usual
build dependencies such as autotools, pkg-config or a compiler, the only
required packages are the LDAP and PAM development libraries and a UTF-8
library. Currently libunistring and glib are supported as UTF-8 libraries,
with glib being the default.
In order to build man pages, the tool a2x is an optional build dependency.
The Unit tests require the cmocka unit test
framework as well as nss_wrapper and pam_wrapper tools from the
cwrap.org project.
Please see the pam_hbac(8) man page distributed along with pam_hbac for documentation on setting up the module itself. The module is configured with a configuration file as well, its options are described in a separate man page pam_hbac.conf(5)
This section describes how the PAM rules interact for clients that authenticate against the compat LDAP tree.
Obviously, you'll want to set up HBAC rules for the client machine pam_hbac
runs on. But in addition to that, the slapi-nis Directory Server plugin
that runs on the IPA server itself also runs a PAM account check against
the system-auth PAM service. In order to satisfy this second check, you
also need to create a special system-auth HBAC service and allow access
using this service for any users or groups that you want allow access to
clients running pam_hbac as well.
Please see doc/ipa/sch-ipa.txt from the slapi-nis' tree for more information on how the compat tree works.
Please open a ticket if you encounter a bug or send a pull request with a contribution. For questions, you can use the freeipa-users mailing list.
Generated after every commit.
Generated after every commit.
Coverity scans are ran before releases only.
