Pluggable Authentication Modules (PAM) support
Recent changes RSS feed
 
Trace: » Xiaoka Wiki » Jabber Transports » jabberd2 Releases » Crux » Xeno » People involved in jabberd2 project » jabberd2 development » Features » Frequently Asked Questions » Pluggable Authentication Modules (PAM) support
Table of Contents

Pluggable Authentication Modules (PAM) support

In order to get jabberd authenticate users via PAM you need to ./configure –enable-pam and configure PAM section in c2s.xml.

Jabberd uses /etc/pam.d/jabberd service with PAM authentication backend.

If you do authentication via /etc/shadow passwords, c2s needs to run as root to get access to shadow file. If you do not want that, you may alternatively use ./configure –enable-pipe with jabberd-authpipe-pam.pl script running as root.

Most PAM mechanizms store passwords in hashed format, so c2s needs to get plaintext passwords from users, to recreate the hash for comparison. You need to disable all non plain auth mechanizms in c2s.xml, leaving only <plain/> in traditional and SASL sections.

Checklist

  1. –enable-pam + c2s running as root
  2. –enable-pipe + jabberd-authpipe-pam.pl running as root
  3. only <plain/> authentication enabled in c2s.xml
  4. proper PAM modules configured in /etc/pam.d/jabberd

Realm

c2s.local.id attribute realm is used to configure how jabberd creates usernames for PAM authentication 

<id realm='some.org'>localhost</id>
  • no realm defined - the domainname is attached to username, resulting: username@localhost
  • realm defined - the realm is attached to username, resulting: username@some.org
  • empty realm ”” defined - nothing is attached tu username, resulting: username
 
jabberd2/pam.txt · Last modified: 2009/06/10 17:19 by Tomasz Sterna
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-No Derivative Works 3.0 Unported