AIX supports it's own two LDAP attributes, per user: one which lists hosts where the user is allowed to login, and another of hosts where he is forbidden to.
Solaris has just one, for allowed hosts.
Both are unmaintanable messes per user, not the elegancy of FreeIPA's HBAC controls, they both miss the concept of flexible control of user access to hosts and services.
This is just a simple PAM module that aims to implement FreeIPA's HBAC for systems that don't support it, like AIX and Solaris, or for systems that want to support it without a full FreeIPA client stack.
The logo is a play with the concept of plugging in the missing piece.
Building the PAM module
To build, either use the build scripts or use these commands:
./configure --prefix=/usr make sudo make install
Building in AIX is a very long story, checkout the rpm SPEC. One used to need to build a lot of dependencies before it could work, but the usual source of RPMS for AIX seems to have had some recent love fixing most of the issues.
You can check sample.pam included for more details about configuring the module, but it's a bit like this:
cat <<EOF > /etc/pam.d/ipahbac_test account required pam_ipahbac.so blameGetOpt -u YourSysAccount -b dc=your,dc=domain -P /etc/ldap.secret -l ldaps://ldap1/,ldaps://ldap2/.. EOF
- blameGetOpt is only needed in GNU/Linux and AIX as getopt is expecting argv to be the command. Not needed in Solaris, it works differently there. (Why use getopt?... well... why have the trouble of parsing options myself?)
-d levelis optional, the debug level (use a value greater than zero, although currently only has one debug level)
-D domainis optional, and used to create the FQDN if the hostname is the short version (eg, a.b.c).
-b BASEis mandatory, the IPA domain base (eg dc=a,dc=b,dc=c)
-U USERis mandatory, the first form derives to an IPA sysaccount while the second one to a normal user, thus only the uid value is needed, the rest is derived from the base
-P pathis mandatory, as you'll need the sysaccount's password. The second form reads the whole first line of bytes as the password, including newline if present
-l LDAPSERVERSis mandatory, and comprised of a comma separated list of LDAP servers. Use URI's in GNU/Linux and AIX, host:port in Solaris. TLS is expected and required.
-k pathis mandatory in Solaris and AIX; it's the path to the NSSDB that OpenLDAP (or gskit with IDSLDAP in AIX) is using.
-K pathis optional in AIX (if you use password stash with the keydb) and not really needed in Solaris; it's the path to a file containing only (no new line) the password to open the gskit kdb
-x pathis an optional file with a line separated list of users who will be immediately accepted (useful for root and functional accounts).
|Fedora 23||Done||Just for fun, not really needed on modern IPA-ready native systems|
|Solaris 11.3||Done||Remember to compile in 64 and 32 bits...|
|7.1 TL5SP4||Done||Remember to compile in 64 and 32 bits...|
I found these resources especially helpful.
Beat Gammit's Simple PAM
I forked Beat Gammit's simple example as basis for start. You can find it here: https://github.com/beatgammit/simple-pam
These guides give brief overviews about PAM and how to write modules. This is useful if you already have a little knowledge.
- Oreilly's Writing PAM Modules, parts One * Two and Three
- 2-factor authentication & writing PAM modules
The whole project is licensed under the GNU GPL version 2 or later. test.c is licensed under MIT since most of it's original code remains. If none remains after sometime, this alert will be removed.
Aditionally, you're allowed to link with Solaris and AIX's PAM libraries.