You must perform the following tasks based on different distributions of the Linux operating system:
To set up an interaction between Linux Client and the Advanced Authentication server, perform one of the following:
Configure Advanced Authentication server lookup in non-DNS mode by manually specifying a custom Advanced Authentication server. For more information, see Using a Specific Advanced Authentication Server in Non-DNS Mode
.
Or
Allow Linux Client to interact with the Advanced Authentication servers through the DNS and configure the DNS for Advanced Authentication server lookup. For more information, see Setting-up a DNS for Advanced Authentication Server Discovery
.
To prepare Linux for installing the Linux PAM Client, see Preparing Linux for Installing Linux PAM Client
.
To prepare Ubuntu 16 for installing the Linux PAM Client, see Preinstalling the Configuration on Ubuntu 16
.
Ensure that the DNS is configured appropriately for Advanced Authentication server discovery (see Setting-up a DNS for Advanced Authentication Server Discovery) or a specific Advanced Authentication server must be specified in the configuration file.
You can achieve the following requirements with this setting:
To enforce a connection to a specific workstation where the DNS is not available.
To override a domain based entry for a specific workstation and use the settings specified in the config.properties file.
To configure Linux Client to discover a specific Advanced Authentication server without a DNS, perform the following steps:
Navigate to /opt/pam_aucore/etc/ and open pam_aucore.conf file.
Specify discovery.host: <IP_address|domain_name>.
For example, discovery.host: 192.168.20.40 or discovery host: auth2.mycompany.local.
If the configuration file does not exist, create a new file.
You can specify multiple Advanced Authentication servers separated by a semicolon (;):
discovery.hosts: aaf-1.domain.com;aaf-2.domain.com;....;aaf-n.domain.com
(Optional) Specify discovery.port = <portnumber> to configure the port number for the Client-server communication.
Restart the system.
NOTE:For Linux logon event, select the OS Logon (local) Event type if you want to use Linux Client on the non-domain joined workstations.
You can configure a DNS to allow Linux Client to discover and connect with the Advanced Authentication server through the DNS.
To configure the DNS for server discovery, perform the following tasks:
Click Start > Administrative Tools > DNS to open the DNS Manager.
Add Host A or AAAA record and PTR record:
Right-click your domain name and click New Host (A or AAAA) under Forward Lookup Zone in the console tree.
Specify a DNS name of the Advanced Authentication server in Name.
Specify the IP address of the Advanced Authentication server in IP address.
You can specify the address in IP version 4 (IPv4) format (to add a host (A) resource record) or IP version 6 (IPv6) format (to add a host (AAAA) resource record).
Select Create associated pointer (PTR) record to create an additional pointer (PTR) resource record in a reverse zone for this host using the details that you have provided in Name and IP address.
For best load balancing, it is recommended to perform the following actions only for Advanced Authentication web servers. You need not create the records for Global Master, DB Master, and DB servers.
NOTE:Ensure that the LDAP SRV record exists in the DNS server. If the record is not available, you must add it manually.
To add an SRV record for the Advanced Authentication servers from a primary Advanced Authentication site (a site with Global Master server), perform the following steps:
Right-click on a node with the domain name and click Other New Records in the Forward Lookup Zones of the console tree.
Select Service Location (SRV) from Select a resource record type and click Create Record.
Specify _aav6 in Service of New Resource Record dialog box.
Specify _tcp in Protocol.
Specify 443 in Port Number.
Specify the full qualified domain name (FQDN) of the server that is added in Host offering this service.
For example, authsrv.mycompany.com.
Click OK.
To add an SRV record for the Advanced Authentication servers from other Advanced Authentication sites, perform the following steps:
Expand the preferred domain name node and select _sites in the Forward Lookup Zones of the console tree.
Right-click on the preferred site name and click Other New Records.
Select Service Location (SRV) from Select a resource record type and click Create Record.
Specify _aav6 in Service of New Resource Record dialog box.
Specify _tcp in Protocol.
Specify 443 in Port Number.
Specify the FQDN of the server in Host offering this service.
For example, authsrv.mycompany.com.
Click OK.
You must add a host and SRV records in the DNS for all the authentication servers. The Priority and Weight values for different servers may vary.
The DNS server contains the following elements in an SRV record: SRV entries _service._proto.name TTL class SRV priority weight port target. The following table describes these elements present in an SRV record:
Element |
Description |
---|---|
Service |
Symbolic name of an applicable service. |
Protocol |
Transport protocol of an applicable service. Typically, TCP or UDP. |
Domain |
Domain name for which this record is valid. It ends with a dot. |
TTL |
Standard DNS time to live field. |
Class |
Standard DNS class field (set as IN, by default). |
Priority |
Priority of the target host. Lower the value, higher the priority. |
Weight |
A relative weight for records with the same priority. Higher the value, higher the priority. |
Port number |
TCP or UDP port on which the service is located. |
Target (Host offering this service) |
Canonical hostname of the machine providing the service. It ends with a dot. |
The following diagram illustrates the server discovery workflow.
You can configure server discovery in the Linux Client by using the following parameters in the config.properties file:
Parameter |
Description |
---|---|
discovery.Domain |
DNS name of the domain. |
discovery.host |
Option to specify the DNS name or the IP address of an Advanced Authentication server. |
discovery.port |
Option to specify the port number for the client-server interaction. |
discovery.subDomains |
Lists additional sub-domains separated by a semicolon. |
discovery.useOwnSite |
Set the value to True to use the local site (Windows Client only). |
discovery.dnsTimeout |
Set the time out for the DNS queries. The default value is 3 seconds. |
discovery.connectTimeout |
Time out for the Advanced Authentication server response. The default value is 2 seconds. |
discovery.resolveAddr |
Set the value to False to skip resolving the DNS. By default the value is set to False for Linux Client. |
discovery.wakeupTimeout |
Time out after the system starts or resumes from sleep. The default value is 10 seconds. |
discovery.skipAlreadyTriedPeriod |
A delay for which the Linux Client stops searching the server after an unsuccessful search attempt. The default value is 5 minutes after which the Client switches to the online mode. During background operations (for example, policy updates) if the cache determines that the server is available, then the set period can be reduced. |
You can find the configuration file pam_aucore.conf in the path /opt/pam_aucore/etc/.
You can add Linux Client to a specific domain and configure the network, by setting Search Domains with FQDN.
For example, in CentOS 7, you can configure /etc/sysconfig/network-scripts/ifcfg-eth0 by using DOMAIN=mycompany.com.
Before installing the Linux PAM Client on Ubuntu 16, you must configure lightdm to achieve the following:
Allow manual login
Hide the user list
Disable guest login
For more information about lightdm, see LightDM.
To configure lightdm on Ubuntu 16, perform the following steps:
Navigate to /usr/share/lightdm/lightdm.conf.d.
Double click the 50-ubuntu.conf file and add the following parameters:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
allow-guest=false
Click Save.