MapR 5.0 Documentation : PAM Configuration

MapR uses Pluggable Authentication Modules (PAM) for password verification in a variety of places. Make sure PAM is installed and configured on the node running the mapr-webserveror other components that will use PAM to verify passwords.

There are typically several PAM modules (profiles), configurable via configuration files in the /etc/pam.d/ directory. Any component verifying user passwords tries the following three profiles in order:

  1. sudo (/etc/pam.d/sudo)
  2. sshd (/etc/pam.d/sshd)
  3. mapr-admin (If you have created the /etc/pam.d/mapr-admin profile and the component checks beyond the first two profiles.)

The profile configuration file (for example, /etc/pam.d/sudo) should contain an entry corresponding to the authentication scheme used by your system. For example, if you are using the simplest form of local OS authentication, check for an entry similar to the following - consult with your Unix system administrator if you are uncertain:

auth    sufficient      pam_unix.so  # For local OS Auth

Configuring PAM to Use LDAP

To configure PAM with LDAP:

  1. Verify that each MapR user ID has the auxiliary schema posixAccount.
  2. Verify that each group ID has the auxiliary schema posixGroup.
  3. Install the appropriate PAM packages:
    • On Ubuntu, sudo apt-get install libpam-ldapd
    • On Redhat/Centos, sudo yum install pam_ldap

Configuring PAM to Use Kerberos

To configure PAM with Kerberos:

  1. Install the krb5 packages and configure the Kerberos client as per the configuration for your environment.
  2. Install the appropriate PAM packages:
    • On Redhat/Centos, sudo yum install pam_krb5
    • On Ubuntu, sudo apt-get install -krb5

Creating a Custom mapr-admin Profile for PAM

If you wish to ensure that MapR uses a MapR-unique PAM configuration, you can:

  • Leave the /etc/pam.d/sudo file as is - MapR strongly recommends against manually editing the /etc/pam.d/sudo file.

  • Create your own PAM profile in /etc/pam.d, naming it mapr-admin 

  • Manually edit mapr.login.conf and other ecosystem component configuration files to use mapr-admin only.

Example /etc/pam.d/mapr-admin File

Below are some simple examples of what might work in the PAM profile you choose to edit in mapr-admin, or in another PAM profile, in close consultation with your Linux administrator.

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

auth    sufficient      pam_unix.so nullok_secure
auth    requisite       pam_succeed_if.so uid >= 1000 quiet
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

password    sufficient    pam_unix.so md5 obscure min=4 max=8 nullok
try_first_pass
password    sufficient    pam_ldap.so
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so

The following sections provide information about configuring PAM to work with LDAP or Kerberos.

The file /etc/pam.d/sudo should be modified only with care and only when absolutely necessary.

Component-Specific PAM Configurations

Some ecosystem components have unique requirements that require setup of a component-specific PAM configuration. See the Ecosystem Guide section for the component.