---
title: Configuring Linux PAM authentication
description: PAM-based authentication provides the flexibility to authenticate administrators using existing authentication servers, such as your organization's Lightweight Directory Access Protocol (LDAP) directory. When PAM authentication is active, ASE logs the identity of the user executing each CLI command. This provides a user-specific audit trail of administrative access to the ASE system.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_configuring_linux_pam_authentication
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_configuring_linux_pam_authentication.html
revdate: May 6, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
---

# Configuring Linux PAM authentication

## About this task

PAM-based authentication provides the flexibility to authenticate administrators using existing authentication servers, such as your organization's Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
\<p>An open, cross platform protocol used for interacting with directory services.\</p>
\</div>)* directory. When PAM authentication is active, ASE logs the identity of the user executing each CLI command. This provides a user-specific audit trail of administrative access to the ASE system.

## Steps

* To activate PAM-based authentication, configure `auth_method` in `ase.conf` as `pam::<service>,`where `<service>` is the script that the PAM module reads to authenticate the users.

  |   |                                                                                                                                       |
  | - | ------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Service scripts include `login, su, ldap,` etc. For example, the `login` script allows all system users administrative access to ASE. |

* To support PAM authentication with the `login` script, update the `auth_method` configuration values in `ase.conf`:

  ```
  auth_method=pam::login
  ```

  ### Example:

  The following is an example using the CLI to change from Native to PAM authentication with `login` script:

  ```
  /opt/pingidentity/ase/bin/cli.sh update_auth_method pam::login -u admin -p
   <password>
  ```

  |   |                                                                                                                                                                      |
  | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Make sure that the script name provided for PAM-based authentication is the correct one. If a wrong file name is provided, ASE administrators are locked out of ASE. |

* To write your own PAM module script, add a custom script, such as `ldap`, that defines PAM's behavior for user authentication to the `/etc/pam.d` directory.

* To set the authentication method and use the `ldap` script, run the following command:

  ```
  /opt/pingidentity/ase/bin/cli.sh update_auth_method pam::ldap -u admin -p
   <password>
  ```

  ### Example:

  In the following example, the PAM module uses the organization's LDAP server to authenticate users.

  ```
  root@localhost:/# cat /etc/pam.d/ldap
  auth   sufficient   pam_ldap.so     # Authenticate with LDAP server.
  #auth  sufficient   pam_permit.so   # Allow everyone. Pass-through mode.
  #auth  sufficient   pam_deny.so     # Disallow everyone. Block all access.
  ```