Skip to main content

Tutorial: Manage the PAM Authentication Method from the Command-line Interface

Abstract

Use this tutorial to manage PAM as an Access Server authentication method from the command-line interface.

Overview

Use this tutorial to find the necessary commands to manage PAM authentication for Access Server.

In PAM authentication mode, user and password authentications are stored in the operating system. User-specific properties are stored in the user_prop.db database file. After creating a user in the operating system and setting a password, you must add the user to Access Server. You can add users in the Admin Web UI from the Users page. Or you can add users from the command-line interface. You must add each user to the “User Permissions” table and set user-specific properties such as auto-login, group assignment, and static IP.

The user can sign in once the same username exists in Access Server and the operating system. Access Server looks up this user in the user permissions table and automatically applies the user-specific properties specified. If you notice that properties aren't applied, ensure the name is correct. The username in PAM is leading here.

Important

The username lookup is case-sensitive. For a username in the operating system, “justin”, you must use “justin” in User Permissions or the command line to set user-specific properties. By default, most Linux operating systems prefer that you use lowercase usernames. It is best to adhere to this in PAM authentication mode. Below are some basic commands to manage PAM user accounts and credentials.

Prerequisites

  • Console access and the ability to get root privileges.

Commands to configure PAM

  • Set authentication mode to PAM:

    sacli --key "auth.module.type" --value "pam" ConfigPut
sacli start

  • Add a new user from scratch:

    adduser <USER_NAME>
sacli --user <USER_NAME> --key "type" --value "user_connect" UserPropPut

  • Set password for an existing user in PAM authentication mode:

    passwd <USER_NAME>

  • Remove a user from both PAM and Access Server:

    deluser <USER_NAME>
sacli --user <USER_OR_GROUP> UserPropDelAll

For more information, refer to Tutorial: user and group properties CLI.Tutorial: user and group properties CLI

In this section: