Native and Pluggable Authentication Modules (PAM) authentication - PingIntelligence for APIs

Native and Pluggable Authentication Modules (PAM) authentication - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

Configuring ASE native authentication

By default, ASE uses native ASE authentication which ships with the system. Each user can run CLI commands by including the shared username and password with each command. The system ships with a default username (admin) and password (admin).

Important:

Always change the default password using the update_password command. For more information on ASE commands, see Appendix A.

To configure ase.conf to support native authentication, use the default configuration values:
```
auth_method=ase::db
```
To change the authentication from native authentication to PAM mode, enter the following command in ASE command line:

Note:
In the example, login is a PAM script used for authentication.
```
/opt/pingidentity/ase/bin/cli.sh update_auth_method pam::login -u admin -p 
<password>
```
To switch from PAM mode authentication back to native authentication, issue the following CLI command:
```
/opt/pingidentity/ase/bin/cli.sh update_auth_method ase::db -u <pam_user> -p 
<password>
```
The following is an example of a CLI command with native authentication (-u,-p) enabled:
```
/opt/pingidentity/ase/bin/cli.sh add_server -u admin -p 
<password>
```

Configuring Linux PAM authentication

PAM-based authentication provides the flexibility to authenticate administrators using existing authentication servers, such as your organization’s LDAP directory. When PAM authentication is active, ASE logs the identity of the user executing each CLI command. This provides a user-specific audit trail of administrative access to the ASE system.

To activate PAM-based authentication, configure auth_method in ase.conf as pam::<service>,where <service> is the script that the PAM module reads to authenticate the users.

Note:
Service scripts include login, su, ldap, etc. For example, the login script allows all system users administrative access to ASE.
To support PAM authentication with the login script, update the auth_method configuration values in ase.conf:
```
auth_method=pam::login
```
The following is an example using the CLI to change from Native to PAM authentication with login script:
```
/opt/pingidentity/ase/bin/cli.sh update_auth_method pam::login -u admin -p 
<password>
```
Warning:
Make sure that the script name provided for PAM-based authentication is the correct one. If a wrong file name is provided, ASE administrators are locked out of ASE.
To write your own PAM module script, add a custom script, such as ldap, that defines PAM’s behavior for user authentication to the /etc/pam.d directory.

To set the authentication method and use the ldap script, run the following command:

/opt/pingidentity/ase/bin/cli.sh update_auth_method pam::ldap -u admin -p 
<password>

In the following example, the PAM module uses the organization’s LDAP server to authenticate users.

root@localhost:/# cat /etc/pam.d/ldap
auth   sufficient   pam_ldap.so     # Authenticate with LDAP server.
#auth  sufficient   pam_permit.so   # Allow everyone. Pass-through mode.
#auth  sufficient   pam_deny.so     # Disallow everyone. Block all access.

Recovering ASE from unavailable pam.d script

When an invalid script name is entered while changing to PAM authentication, the PAM module defaults to etc/pam.d/others for authentication. This makes ASE inaccessible to administrators. If this happens, you must recover ASE.

To recover ASE:

Copy etc/pam.d/login to etc/pam.d/other.

ASE will use the credentials in etc/pam.d/login to authenticate administrators.
After signing back on to ASE, change the authentication method to use the correct file name.

Note:
Copying the contents of etc/pam.d/login to etc/pam.d/other does not require a restart of ASE or the host operating system.