Skip to content
CA Identity Manager - 12.6.5
Documentation powered by DocOps

Password Synchronization on UNIX and Linux

Last update August 9, 2017

CA Identity Manager can intercept an account's password change on a UNIX or Linux system, and propagate it to all other accounts associated with its Global User. The component used to authenticate passwords against external security systems is called Pluggable Authentication Module (PAM). With PAM, CA Identity Manager authenticates passwords against external security systems so that global users can use their existing system passwords to log on to CA Identity Manager.

This page contains the following topics:

UNIX Password Synchronization

A password synchronization module is provided that detects password change events through the UNIX PAM framework. The UNIX Password Synchronization module notifies the Provisioning Server of a password change. The Provisioning Server finds the associated Global User, and propagates changes to other related accounts automatically.

The UNIX operating systems that support the PAM framework include:

  • AIX v5.3 on Power platform with PAM enabled
  • HP-UX v11.00 on a PA-RISC platform, and Itanium® 2 platforms
  • Solaris v2.6 and higher on Sparc and Intel platforms
  • 32-bit Linux with glibc v2.2 and higher on s390 or Intel i386 platform

    Note: For Linux platforms, the test_sync binary must be on the PATH for all users, but only the root user, the owner, should have execute permission.

    To add this library to the path for all users, include this command in the global /etc/bashrc file:

    export PATH=$PATH:/etc/pam_CA_eta
    

How UNIX PAM Works

The following process describes the UNIX PAM feature's functions:

  1. A UNIX user's password is to be changed for one of the following reasons:
    • Decision of the user.
    • The user is forced to change the password by system settings or manual intervention.
    • The user's password is changed by an administrator.
  2. The new password is submitted to the PAM framework password service.
  3. The PAM framework's password service invokes the PAM library to update the local UNIX security files.
  4. The PAM framework's password service invokes the UNIX password synchronization module (pam_CA_eta) to notify the Provisioning Server of the password change.
  5. The Provisioning Server updates the password of the associated Global User and all accounts associated with the Global User.

Requirements for Using UNIX Password Synchronization

The requirements for using the UNIX Password Synchronization feature are the following:

  • The UNIX Password Synchronization agent must be installed on the UNIX system on which you want to detect password changes.
  • The UNIX Remote agent and CAM must be installed on the UNIX system on which the UNIX Password Synchronization agent resides.
  • The system must be managed as an acquired endpoint. The Password Synchronization agent is installed check box must be selected on the acquired endpoint's properties.
  • The accounts on the managed systems must be explored and correlated to global users.
  • The environment must allow password changes to come from endpoint accounts. An administrator with access to the Management Console enables this feature.

Install the UNIX PAM Feature

Perform the following procedure to install UNIX PAM.

To install the UNIX PAM feature

  1. Select the package file that corresponds to your UNIX platform:
UNIX Operating System Package File Name
HP-UX v11 PA-RISC pam_CA_eta-1.1.HPUX.tar.Z
HP-UX Itanium2 pam_CA_eta1.1HPUX-IA64.tar.Z
AIX v5.3 Power pam_CA_eta-1.1.AIX.tar.Z
Solaris Sparc pam_CA_eta-1.1.Solaris.tar.Z
Solaris Intel pam_CA_eta-1.1.SolarisIntel.tar.Z
Linux x86 pam_CA_eta-1.1.Linux.tar.gz
Linux s390 pam_CA_eta-1.1.LinuxS390.tar.gz
  1. Transfer the chosen package file to a temporary folder (/tmp) on the UNIX server using FTP in binary mode, or any other file transfer tool that supports binary files. A sample transfer session might appear as follows:

    W:\Pam>ftp user01
    Connected to user01.company.com.
    220 user01 FTP server (Version 1.2.3.4) ready.
    User (user01.company.com:(none)): root
    331 Password required for root.
    Password:
    230 User root logged in.
    ftp> cd /tmp
    250 CWD command successful.
    ftp> bin
    200 Type set to I.
    ftp> put pam_CA_eta-1.1.HPUX.tar.Z
    200 PORT command successful.
    150 Opening BINARY mode data connection for pam_CA_eta-1.1.HPUX.tar.Z.
    226 Transfer complete.
    ftp: 117562 bytes sent in 0,09Seconds 1306,24Kbytes/sec.
    ftp> quit
    
  2. Logon as the root user on the UNIX server and extract the package file:

    # cd /tmp
    # zcat pam_CA_eta-1.1.<platform>.tar.Z | tar -xf -
    

    On Linux, use the command:

    # tar -xzf pam_CA_eta-1.1.<platform-hardware>.tar.gz
    
  3. Copy the configuration and TLS files to the default configuration folder:

    # cd pam_CA_eta-1.1
    # mv pam_CA_eta /etc
    
  4. Copy the pam_CA_eta module to the Security libraries folder:
    On AIX, use the command:

    # cp -p pam_CA_eta.o /usr/lib/security/
    

    On HP-UX, use the command:

    # cp -p libpam_CA_eta.1 /usr/lib/security/
    

    On HP-UX Itanium2, use the command:

    # cp -p libpam_CA_eta.1 /usr/lib/security/hpux32
    

    On Linux i386 or s390, use the command:

    # cp -p pam_CA_eta.so /lib/security/
    

    On Solaris Sparc or Intel, use the command:

    # cp -p pam_CA_eta.so /usr/lib/security/
    
  5. (Optional) Copy the Testing programs:

    # cp -p test_* /etc/pam_CA_eta
    # cp -p pam_test* (/usr)/lib/security/
    

Update the Endpoint in the User Console

In the User Console, update the endpoint to indicate that the agent is installed.

Follow these steps:

  1. Log in to the User Console.
  2. Search for the endpoint with the agent installed.
  3. Click the Endpoint Settings tab.
  4. Select the Password Synchronization Agent Installed check box.

Enable an Environment for Password Synchronization

After you install the Password Synchronization Agent, you enable the environment to receive password changes that are made on the endpoints. For this task, an administrator needs access to the Management Console and CA Directory to enable the environment to accept these changes.

Follow these steps:

  1. For new users, you use the Management Console as follows:
    1. Select the environment.
    2. Click Advanced Settings, Provisioning.
    3. Select the Enable Password Changes from Endpoint Accounts check box.
  2. For existing users, set the eTPropagatePassword attribute to 1 in CA Directory.

Configuring the UNIX Password Synchronization Feature

Configuration the UNIX Password Synchronization feature involves setting parameters in the following files:

  • /etc/pam_CA_eta/pam_CA_eta.conf
  • /etc/pam.conf
Important! Because the password of a highly-privileged user is stored in the pam_CA_eta.conf configuration file, that file must be readable only by the root account. Note that the file settings in the package file include owner=root and mode=500 and that the -p switch of the cp command preserves them during installation.

Configure the pam_CA_eta.conf File

Perform the following procedure to configure the pam_CA_eta.conf file.

To configure the pam_CA_eta.conf file

  1. Navigate to the /etc/pam_CA_eta folder.
  2. Edit the pam_CA_eta.conf file. This configuration file contains its own documentation.

    #
    #	CA - <idmgr>
    #
    #	pam_CA_eta.conf
    #
    #	Configuration file for the Unix PAM password module "pam_CA_eta"
    #
    # keyword: server
    # description: the <idmgr> LDAP server primary and optional alternate server hostname
    # value: a valid hostname and an optional server
    # default: no default
    server ETA_SERVER ALT_SERVER
    #
    # keyword: port
    # description: the numeric TCP/IP port number of the <idmgr> LDAP server
    # value: a valid TCP/IP port number
    # default: 20390
    # port 20390
    
    # keyword: use-tls
    # description: does it use the secured LDAP over TLS protocol ?
    # value: yes or no
    # default: yes
    # use-tls yes
    # keyword: time-limit
    # description: the maximum time in seconds to wait for the end of an LDAP operation.
    # value: a numeric value of seconds
    # default: 300
    # time-limit 300
    
    # keyword: remote-server
    # description: identifies whether on premise or cloud Identity Manager 
    #              server is used.
    #              Cloud based server is accessed by proxying the requests 
    #              through the on-premise CS, requiring use of remote-server 
    #              set to 'yes'.
    # value: yes or no
    # default: no
    # remote-server no
    # keyword: size-limit
    # description: the maximum number of entries returned by the <idmgr> server
    # value: a numeric value
    # default: 100
    # size-limit 100
    
    # keyword: root
    # description: the root DN of the <idmgr> server
    # value: a valid DN string
    # default: dc=eta
    # root dc=eta
    
    # keyword: domain
    # description: the name of the <idmgr> domain
    # value: a string
    # default: im
    # domain	im
    
    # keyword: user
    # description: the <idmgr> Global User name used to bind to the <idmgr> server
    # value: a valid Global User name string
    # default: etaadmin
    # user etaadmin
    
    # keyword: password
    # description: the clear-text password of the "binding" <idmgr> Global User
    # value: the password of the above Global User
    # default: no default
    password SECRET
    
    # keyword: directory-type
    # description: the <idmgr> Unix Endpoint type of this Unix server
    # value: ETC or NIS
    # default: ETC
    # endpoint-type ETC
    
    # keyword: endpoint-name
    # description: the <idmgr> Unix Endpoint name of this Unix server
    # value: a valid Unix Endpoint name string
    # default:
    # ETC: the result of the "hostname" command (ie: gethostname() system call)
    # NIS: "domain [hostname]" where "domain" is the result of the "domainname" command
    #  (ie: getdomainname() system call) and "hostname" the result of the "hostname"
    #    command (ie: gethostname() system call)
    # endpoint-name dirname
    
    # keyword: tls-cacert-file
    # description: the name of the <idmgr> CA certificate file
    # value: a valid full path file name
    # default: /etc/pam_CA_eta/et2_cacert.pem
    # tls-cacert-file /etc/pam_CA_eta/et2_cacert.pem
    
    # keyword: tls-cert-file
    # description: the name of the <idmgr> client certificate file
    # value: a valid full path file name
    # default: /etc/pam_CA_eta/eta2_clientcert.pem
    # tls-cert-file /etc/pam_CA_eta/eta2_clientcert.pem
    
    # keyword: tls-key-file
    # description: the name of the <idmgr> client private key file
    # value: a valid full path file name
    # default: /etc/pam_CA_eta/eta2_clientkey.pem
    # tls-key-file /etc/pam_CA_eta/eta2_clientkey.pem
    
    # keyword: tls-random-file
    # description: the name of the "pseudo random number generator" seed file
    # value: a valid full path file name
    # default: /etc/pam_CA_eta/prng_seed
    # tls-random-file /etc/pam_CA_eta/prng_seed
    
    # keyword: use-status
    # description: this module will exit with a non-zero status code in case of failure.
    # value: yes or no
    # default: no
    # use-status no
    
    # keyword: verbose
    # description: this module will display informational or error messages to the user.
    # value: yes or no
    # default: yes
    # verbose yes
    
Note: The server, domain and password parameters do not have a default value and need to be updated.

Configure the pam.conf File

The /etc/pam.conf file is the main PAM configuration file. You must edit the file to insert a line in the password service stack. On some Linux systems, the pam.conf file is replaced with /etc/pam.d, so you will need to edit the /etc/pam.d/system-auth file.

To configure the pam.conf file

  1. Navigate to the /etc directory, or /etc/pam.d directory if you are configuring the PAM module on an appropriate Linux system.
  2. Edit the pam.conf file to insert a Password Synchronization line in the password service stack. For platform-specific configurations, see the examples that follow:
    passwd password required /usr/lib/security/pam_unix.so
    passwd password optional /usr/lib/security/pam_CA_eta.so
  3. (Optional) You can add the following optional parameters on the pam_CA_eta module line:
    • config=/path/file
      Indicates the location of an alternate configuration file.
    • syslog
      Sends error and informational messages to the local syslog service.
    • trace
      Generates a trace file for each password update operation. The trace files are named /tmp/pam_CA_eta-trace.<nnnn> where <nnnn> is the PID number of the password process.
  4. Implement the following platform-specific configuration changes:
    For AIX systems, add the following lines at the bottom of the /etc/pam.conf file:

    #
    # <idmgr> Unix Password Synchronization
    #
    login   password  optional    /usr/lib/security/pam_CA_eta.so syslog
    passwd  password  optional    /usr/lib/security/pam_CA_eta.so syslog 
    rlogin  password  optional    /usr/lib/security/pam_CA_eta.so syslog 
    su      password  optional    /usr/lib/security/pam_CA_eta.so syslog 
    telnet  password  optional    /usr/lib/security/pam_CA_eta.so syslog 
    sshd    password  optional    /usr/lib/security/pam_CA_eta.so syslog 
    OTHER   password  optional    /usr/lib/security/pam_CA_eta.so syslog 
    

    For HP-UX systems, add the following lines at the bottom of the /etc/pam.conf file:

    #
    # <idmgr> Unix Password Synchronization
    #
    login    password optional    /usr/lib/security/libpam_CA_eta.1 syslog
    passwd   password optional    /usr/lib/security/libpam_CA_eta.1 syslog
    dtlogin  password optional    /usr/lib/security/libpam_CA_eta.1 syslog
    dtaction password optional    /usr/lib/security/libpam_CA_eta.1 syslog
    OTHER    password optional    /usr/lib/security/libpam_CA_eta.1 syslog
    

    For HP-UX Itanium2, add the following lines at the bottom of the /etc/pam.conf file:

    #
    # <idmgr> Unix Password Synchronization
    #
    login    password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
    passwd   password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
    dtlogin  password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
    dtaction password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
    OTHER    password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
    

    For Sun Solaris systems, add the pam_CA_eta line after the existing pam_unix line:

    #
    # Password management
    #
    other   password required       /usr/lib/security/pam_unix.so.1
    other   password optional       /usr/lib/security/pam_CA_eta.so syslog
    

    For Linux systems, add the pam_CA_eta line between the existing pam_cracklib and pam_unix lines:

    password    required     /lib/security/pam_cracklib.so retry=3 type=
    password    optional     /lib/security/pam_CA_eta.so syslog
    password    sufficient   /lib/security/pam_unix.so nullok use_authtok md5 shadow
    password    required     /lib/security/pam_deny.so
    
  5. For AIX systems, edit the /etc/security/login.cfg file to set auth_type = PAM_AUTH. This enables the PAM framework, which is not enabled by default. This is a run-time setting so you do not have to reboot the system for it to take effect.

Troubleshooting UNIX Password Synchronization

You can troubleshoot the UNIX PAM feature using syslog and trace messages, and by testing the configuration, LDAP/TLS connection, the password synchronization, and the PAM framework.

Activating Syslog Messages

Add the syslog parameter to the pam_CA_eta line in the /etc/pam.conf file to let the pam_CA_eta module generate informational and error messages. When the logging option is in use, the UNIX administrator sees information messages in the syslog files each time a UNIX account changes its password. These messages should provide enough information to diagnose basic problems.

You could set this option permanently on production systems as it does not require many more resources than when running in silent service.

Activating Trace Messages

If the syslog messages do not provide enough information, the trace mode can provide more details. For each password update operation, the trace module generates a file named /tmp/pam_CA_eta-trace.<nnnn> (where <nnnn> is the PID of the passwd process) with an entry for most of the function calls used by the module and the data used or returned by those functions.

Even though the trace files are only readable by the root account, they will contain the clear-text new passwords. For this reason, this parameter should not be used permanently on a production system.

Testing the Configuration File

You can use the test_config tool, which is located in the /etc/pam_CA_eta directory, to verify the configuration file. First, you set up the folder structure as follows:

  1. Move the pam_CA_eta folder under /etc.
  2. Copy everything under pam_CA_eta-1.1 to /etc/pam_CA_eta.

A sample command line entry follows:

/etc/pam_CA_eta/test_config [config=/path/to/config_file]

An example session follows:

./test_config [config=/path/to/config_file]
# ./test_config
./test_config: succeeded
Trace file is /tmp/test_config-trace.1274

As the command output shows, a trace file was generated which contains all the details of the configuration file parsing.

View the CAM Service

You can perform the following procedure to find out who started the service.

To view the CAM service

  1. Log on to your UNIX machine as root by using the Telnet or SSH client.
  2. Issue the following UNIX command:

    ps -ef | grep cam
    

    A display similar to the following one appears:

    root 13822        1 11 11:30:12 ?   0:00 cam
    root 13843 13753  3 11:56:31 pts/5  0:00 grep cam
    
Note: If the system's root user does not start the services, they will appear started, but you will be unable to use them. CA Identity Manager issues the following message: “Permission denied: user must be root”.

Testing the LDAP/TLS Connection

You can use the test_ldap tool, located in the /etc/pam_CA_eta directory, to verify the connection to the Provisioning Server (using the configuration file parameters). A sample command line entry follows:

/etc/pam_CA_eta/test_ldap [config=/path/to/config_file]

An example session follows:

./test_ldap [config=/path/to/config_file]
# ./test_ldap: succeeded
Trace file is /tmp/test_ldap-trace.1277

As the command output shows, a trace file was generated which contains all the details of the configuration file parsing and the connection to the Provisioning Server.

Testing the Password Synchronization

You can use the test_sync tool, located in the /etc/pam_CA_eta folder, to verify that the password update of a local account is effectively propagated by the Provisioning Server. A sample command line entry follows:

/etc/pam_CA_eta/test_sync <user> <password> [config=/path/to/config_file]

An example session follows:

# /etc/pam_CA_eta/test_sync pam002 newpass1234
<idmgr> password synchronization started.
:ETA_S_0245<MGU>, Global User 'pam002' and associated account passwords updated successfully: (accounts updated: 2, unchanged: 0, failures: 0)
<idmgr> password synchronization succeeded.
/etc/pam_CA_eta/test_sync: succeeded
Trace file is /tmp/test_sync-trace.2244

As the command output shows, a trace file was generated which contains all of the details of the configuration file parsing, the connection to the Provisioning Server, and the update of the account.

When using the verbose mode (by using the default verbose yes parameter in the configuration file), the command provides informational and potential error messages about the password propagation.

Test the PAM Framework

A PAM test library is available to verify that the password changes are correctly detected by the PAM framework.

To test the PAM framework

  1. Copy the pam_test file to the /usr/lib/security(/hpux32) folder.
  2. Add a password class line for the pam_test library with no parameters.
    An example for Solaris follows:

    other password optional /usr/lib/security/pam_test
    
  3. Issue a passwd command on a test user and then search for the pam_test[<pid>] tagged line in the syslog file.
    The command output shows the name of the generated trace file, for example:

    pam_test[1417]: Succeeded, trace file is /tmp/pam_test-trace.1417
    
Was this helpful?

Please log in to post comments.