4.1 Configuring the Mandatory Settings

You must perform the following tasks based on different distributions of the Linux operating system:

Prerequisite for Advanced Authentication Server discovery

Ensure that the DNS is configured appropriately for Advanced Authentication server discovery (see Setting-up a DNS for Advanced Authentication Server Discovery) or a specific Advanced Authentication server must be specified in the configuration file.

4.1.1 Using a Specific Advanced Authentication Server in Non-DNS Mode

You can achieve the following requirements with this setting:

  • To enforce a connection to a specific workstation where the DNS is not available.

  • To override a domain based entry for a specific workstation and use the settings specified in the pam_aucore.conf file.

To configure Linux Client to discover a specific Advanced Authentication server without a DNS, perform the following steps:

  1. Navigate to /opt/pam_aucore/etc/ and open the pam_aucore.conf file.

  2. Specify discovery.host: <IP_address|domain_name>.

    For example, discovery.host: 192.168.20.40 or discovery host: auth2.mycompany.local.

    If the configuration file does not exist, create a new file.

  3. (Optional) Specify discovery.port = <portnumber> to configure the port number for the Client-server communication.

  4. Restart the system.

NOTE:For Linux logon event, select the OS Logon (local) Event type if you want to use Linux Client on the non-domain joined workstations.

4.1.2 Setting-up a DNS for Advanced Authentication Server Discovery

You can configure a DNS to allow Linux Client to discover and connect with the Advanced Authentication server through the DNS.

To configure the DNS for server discovery, perform the following tasks:

Adding a Host in DNS

  1. Click Start > Administrative Tools > DNS to open the DNS Manager.

  2. Add Host A or AAAA record and PTR record:

    1. Right-click your domain name and click New Host (A or AAAA) under Forward Lookup Zone in the console tree.

    2. Specify a DNS name of the Advanced Authentication server in Name.

    3. Specify the IP address of the Advanced Authentication server in IP address.

      You can specify the address in IP version 4 (IPv4) format (to add a host (A) resource record) or IP version 6 (IPv6) format (to add a host (AAAA) resource record).

    4. Select Create associated pointer (PTR) record to create an additional pointer (PTR) resource record in a reverse zone for this host using the details that you have provided in Name and IP address.

Adding an SRV Record

For best load balancing, it is recommended to perform the following actions only for Advanced Authentication web servers. You need not create the records for Global Master, DB Master, and DB servers.

NOTE:Ensure that the LDAP SRV record exists in the DNS server. If the record is not available, you must add it manually.

Adding an SRV Record from a Primary Advanced Authentication Site

To add an SRV record for the Advanced Authentication servers from a primary Advanced Authentication site (a site with Global Master server), perform the following steps:

  1. Right-click on a node with the domain name and click Other New Records in the Forward Lookup Zones of the console tree.

  2. Select Service Location (SRV) from Select a resource record type and click Create Record.

  3. Specify _aav6 in Service of New Resource Record dialog box.

  4. Specify _tcp in Protocol.

  5. Specify 443 in Port Number.

  6. Specify the full qualified domain name (FQDN) of the server that is added in Host offering this service.

    For example, authsrv.mycompany.com.

  7. Click OK.

Adding an SRV Record from Other Advanced Authentication Sites

To add an SRV record for the Advanced Authentication servers from other Advanced Authentication sites, perform the following steps:

  1. Expand the preferred domain name node and select _sites in the Forward Lookup Zones of the console tree.

  2. Right-click on the preferred site name and click Other New Records.

  3. Select Service Location (SRV) from Select a resource record type and click Create Record.

  4. Specify _aav6 in Service of New Resource Record dialog box.

  5. Specify _tcp in Protocol.

  6. Specify 443 in Port Number.

  7. Specify the FQDN of the server in Host offering this service.

    For example, authsrv.mycompany.com.

  8. Click OK.

You must add a host and SRV records in the DNS for all the authentication servers. The Priority and Weight values for different servers may vary.

DNS Server Entries

The DNS server contains the following elements in an SRV record: SRV entries _service._proto.name TTL class SRV priority weight port target. The following table describes these elements present in an SRV record:

Element

Description

Service

Symbolic name of an applicable service.

Protocol

Transport protocol of an applicable service. Typically, TCP or UDP.

Domain

Domain name for which this record is valid. It ends with a dot.

TTL

Standard DNS time to live field.

Class

Standard DNS class field (set as IN, by default).

Priority

Priority of the target host. Lower the value, higher the priority.

Weight

A relative weight for records with the same priority. Higher the value, higher the priority.

Port number

TCP or UDP port on which the service is located.

Target (Host offering this service)

Canonical hostname of the machine providing the service. It ends with a dot.

Authentication Server Discovery Flow

The following diagram illustrates the server discovery workflow.

Configuring Authentication Server Discovery in Client

You can configure server discovery in the Linux Client by using the following parameters in the pam_aucore.conf file:

Parameter

Description

discovery.Domain

DNS name of the domain.

discovery.host

Option to specify the port number for the client-server interaction.

discovery.port

Option to specify the DNS name or the IP address of an Advanced Authentication server.

discovery.subDomains

Lists additional sub-domains separated by a semicolon.

discovery.useOwnSite

Set the value to True to use the local site (Windows Client only).

discovery.dnsTimeout

Set the time out for the DNS queries. The default value is 3 seconds.

discovery.connectTimeout

Time out for the Advanced Authentication server response. The default value is 2 seconds.

discovery.resolveAddr

Set the value to False to skip resolving the DNS. By default the value is set to False for Linux Client.

discovery.wakeupTimeout

Time out after the system starts or resumes from sleep. The default value is 10 seconds.

discovery.skipAlreadyTriedPeriod

A delay for which the Linux Client stops searching the server after an unsuccessful search attempt. The default value is 5 minutes after which the Client switches to the online mode.

During background operations (for example, policy updates) if the cache determines that the server is available, then the set period can be reduced.

You can find the configuration file pam_aucore.conf in the path /opt/pam_aucore/etc/.

4.1.3 Preparing Linux for Installing Linux PAM Client

You can add Linux Client to a specific domain and configure the network, by setting Search Domains with FQDN.

For example, in CentOS 7, you can configure /etc/sysconfig/network-scripts/ifcfg-eth0 by using DOMAIN=mycompany.com.

4.1.4 Preinstalling the Configuration on Ubuntu 16

Before installing the Linux PAM Client on Ubuntu 16, you must configure lightdm to achieve the following:

  • Allow manual login

  • Hide the user list

  • Disable guest login

For more information about lightdm, see LightDM.

To configure lightdm on Ubuntu 16, perform the following steps:

  1. Navigate to /usr/share/lightdm/lightdm.conf.d.

  2. Double click the 50-ubuntu.conf file and add the following parameters:

    • [SeatDefaults]

    • greeter-show-manual-login=true

    • greeter-hide-users=true

    • allow-guest=false

  3. Click Save.