Skip to main content

Tutorial: Manage the PAM Authentication Method from the Command-line Interface

Abstract

Use this tutorial to manage PAM as an Access Server authentication method from the command-line interface.

Overview

Use this tutorial to find the commands necessary to manage the PAM authentication method for Access Server.

In PAM authentication mode, user and password authentications are stored in the operating system. User-specific properties are stored in the user_prop.db database file. After you create a user in the operating system and set a password, you must add the user to Access Server. You can add users in the Admin Web UI under User Management. Or you can add users in the command-line interface. You must add each user to the “User Permissions” table and set user-specific properties such as auto-login, group assignment, and static IP.

The user can sign in once the same username exists in Access Server and the operating system. Access Server looks up this user in User Permissions and automatically applies the user-specific properties specified. If you notice that properties aren't applied, ensure the name is correct. The username in PAM is leading here.

Important

The username lookup is case-sensitive. For a username in the operating system, “justin”, you must use “justin” in User Permissions or command line to set user-specific properties. By default, most Linux operating systems prefer that you use lowercase usernames. It is best to adhere to this in PAM authentication mode. Below are some basic commands to manage PAM user accounts and credentials.

Prerequisites

The following commands require that you connect directly to your server with root privileges and run them from /usr/local/openvpn_as/scripts/.

Commands to configure PAM

  • Set authentication mode to PAM:

    ./sacli --key "auth.module.type" --value "pam" ConfigPut
./sacli start

  • Add a new user from scratch:

    adduser <USER_NAME>
./sacli --user <USER_NAME> --key "type" --value "user_connect" UserPropPut

  • Set password for an existing user in PAM authentication mode:

    passwd <USER_NAME>

  • Remove a user from both PAM and Access Server:

    deluser <USER_NAME>
./sacli --user <USER_OR_GROUP> UserPropDelAll

For more information, refer to Managing user and group properties from command line.

In this section:
See also: