MapR 5.0 Documentation : PAM Configuration

MapR uses Pluggable Authentication Modules (PAM) for password verification in a variety of places. Make sure PAM is installed and configured on the node running the mapr-webserveror other components that will use PAM to verify passwords.

There are typically several PAM modules (profiles), configurable via configuration files in the /etc/pam.d/ directory. Any component verifying user passwords tries the following three profiles in order:

  1. sudo (/etc/pam.d/sudo)
  2. sshd (/etc/pam.d/sshd)
  3. mapr-admin (If you have created the /etc/pam.d/mapr-admin profile and the component checks beyond the first two profiles.)

The profile configuration file (for example, /etc/pam.d/sudo) should contain an entry corresponding to the authentication scheme used by your system. For example, if you are using the simplest form of local OS authentication, check for an entry similar to the following - consult with your Unix system administrator if you are uncertain:

auth    sufficient  # For local OS Auth

Configuring PAM to Use LDAP

To configure PAM with LDAP:

  1. Verify that each MapR user ID has the auxiliary schema posixAccount.
  2. Verify that each group ID has the auxiliary schema posixGroup.
  3. Install the appropriate PAM packages:
    • On Ubuntu, sudo apt-get install libpam-ldapd
    • On Redhat/Centos, sudo yum install pam_ldap

Configuring PAM to Use Kerberos

To configure PAM with Kerberos:

  1. Install the krb5 packages and configure the Kerberos client as per the configuration for your environment.
  2. Install the appropriate PAM packages:
    • On Redhat/Centos, sudo yum install pam_krb5
    • On Ubuntu, sudo apt-get install -krb5

Creating a Custom mapr-admin Profile for PAM

If you wish to ensure that MapR uses a MapR-unique PAM configuration, you can:

  • Leave the /etc/pam.d/sudo file as is - MapR strongly recommends against manually editing the /etc/pam.d/sudo file.

  • Create your own PAM profile in /etc/pam.d, naming it mapr-admin 

  • Manually edit mapr.login.conf and other ecosystem component configuration files to use mapr-admin only.

Example /etc/pam.d/mapr-admin File

Below are some simple examples of what might work in the PAM profile you choose to edit in mapr-admin, or in another PAM profile, in close consultation with your Linux administrator.

account     required
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

auth    sufficient nullok_secure
auth    requisite uid >= 1000 quiet
auth    sufficient use_first_pass
auth    required

password    sufficient md5 obscure min=4 max=8 nullok
password    sufficient
password    required

session     required
session     required
session     optional

The following sections provide information about configuring PAM to work with LDAP or Kerberos.

The file /etc/pam.d/sudo should be modified only with care and only when absolutely necessary.

Component-Specific PAM Configurations

Some ecosystem components have unique requirements that require setup of a component-specific PAM configuration. See the Ecosystem Guide section for the component.