GUI Authentication with PAM
SPS for Linux now leverages the Pluggable Authentication Module (PAM) provided in the Linux Standard Base (LSB). SPS no longer uses its private password file once located in /opt/LifeKeeper/website/passwd. Instead, users are identified and authenticated against the system’s PAM configuration. Privilege levels are determined from group membership as provided through PAM.
In order to access the GUI, a user must be a member in one of the three LifeKeeper groups: lkadmin, lkoper or lkguest. Membership in these groups should be set by the system administrator using whatever technique is appropriate for the type of user account database that is being used throughout the cluster.
These three LifeKeeper groups provide three different sets of permissions (see Permissions Table).
- Users with Administrator permission (lkadmin) throughout a cluster can perform all possible actions through the GUI.
- Users with Operator permission (lkoper) on a server can view LifeKeeper configuration and status information and can bring resources into service and take them out of service on that server.
- Users with Guest permission (lkguest) on a server can view LifeKeeper configuration and status information on that server.
During installation of the GUI package, the root user on the system is automatically added to the lkadmin group in the system’s local group database allowing root to perform all LifeKeeper tasks on that server via the GUI application or web client. If you plan to allow users other than root to use LifeKeeper GUI clients, then these LifeKeeper GUI users will need to be configured by adding them to the appropriate group.
If PAM is configured to use a non-local database such as NIS, LDAP or AD, then the system administrator must ensure that the accounts are correctly configured in those databases. The groups listed above must exist and users who are allowed to log into the LifeKeeper GUI must be a member of one of these groups. These groups should be created in the remote database only and they should be removed from the local /etc/group file.
If any system in the cluster is using an LK GUI password other than the system’s ‘root’ password, the LK GUI login will fail. Once the root passwords are the same on each system in the cluster, the LK GUI login for ‘root’ will succeed.
The best practice is to always grant permissions on a cluster-wide basis. It is possible to grant permissions on a single-server basis, but that is confusing to users and makes it impossible to perform administrative tasks.
Post your comment on this topic.