Add PAM Authentication

PAM can be used to authenticate users to OnDemand, for example if users only exist in /etc/passwd and /etc/shadow.

  1. Install the Apache PAM module

    sudo yum install mod_authnz_pam
  2. RHEL/CentOS 7 only Copy PAM module into SCL Apache’s modules directory

    sudo cp /usr/lib64/httpd/modules/ /opt/rh/httpd24/root/usr/lib64/httpd/modules/
  3. Enable the PAM Apache module

    RHEL/CentOS 7:

    sudo echo "LoadModule authnz_pam_module modules/" > /opt/rh/httpd24/root/etc/httpd/conf.modules.d/55-authnz_pam.conf

    RHEL/CentOS 8:

    sudo echo "LoadModule authnz_pam_module modules/" > /etc/httpd/conf.modules.d/55-authnz_pam.conf
  4. Set the necessary PAM service. For simplicity you can start by copying SSH PAM service

    sudo cp /etc/pam.d/sshd /etc/pam.d/ood
  5. Allow the Apache user to read /etc/shadow.

    sudo chmod 640 /etc/shadow
    sudo chgrp apache /etc/shadow
  6. Update /etc/ood/config/ood_portal.yml to use PAM authentication

      - 'AuthType Basic'
      - 'AuthName "Open OnDemand"'
      - 'AuthBasicProvider PAM'
      - 'AuthPAMService ood'
      - 'Require valid-user'
    # Capture system user name from authenticated user name
    user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex"
  7. Apply modifications to the /etc/ood/config/ood_portal.yml

    sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal