User Authentication and Management
Intended for use with Cassatt Active Response
V5.0.
Cassatt Active Response uses the Pluggable Authentication Modules for Linux (Linux-PAM) for user authentication; that is, Cassatt Active Response is PAM-aware. If you've used Linux-PAM in the past, you can probably skip this article. If you haven't used Linux-PAM, this article will help you understand how user authentication works with Cassatt Active Response. I'll also talk about managing existing user accounts and creating new user accounts for Cassatt Active Response.
Linux-PAM is designed to allow system administrators (in this case, you) to configure authentication in the way that's appropriate for your site using one or more authentication mechanisms (such as LDAP, Novell, or NT-based password databases).
What is Linux-PAM?
Linux-PAM comprises a set of shared libraries. Each library module is designed to, 1) perform a particular authentication task (like limiting the number of users who can log in at once), and 2) use a particular authentication mechanism (for example, the the pam_krb4 module uses Kerberos). A configuration file specifies which Linux-PAM modules to use. The next illustration shows a generic view:
top
Cassatt Active Response default Linux-PAM configuration
We ship Cassatt Active Response with the very simplest authentication scheme,
which uses the /etc/passwd file
to validate user names and passwords. The Linux-PAM configuration
file for Cassatt Active Response is stored in etc/pam.d/cassatt.
The next illustration shows the default Cassatt Active Response authentication
scheme.
To implement your preferred authentication scheme, edit
the /etc/pam.d/cassatt file.
Follow the instructions in The
Linux-PAM System Administrator's Guide and add the Cassatt Active Response
users specified in Adding and managing
user accounts.
top
Cassatt Active Response user roles and user accounts
By default, Cassatt Active Response is installed with two user IDs: admin
and viewer. They have the following characteristics:
Default User ID |
Password |
Role |
Role Provides |
admin |
changeme |
Admin |
Read and write access to the Cassatt Active Response environment. |
viewer |
changeme |
Operator |
Read-only access to the Cassatt Active Response environment. |
If you change a user's role through the Controller user management interface, it may take a few minutes
for Cassatt Active Response to recognize and authenticate the new role.
Cassatt Active Response also creates two user accounts for use by
the underlying software: the cassatt and ccreport users.
These accounts are locked and you cannot log into Cassatt Active Response
with them.
top
Adding and managing user accounts
To add users to Cassatt Active Response, follow these steps. Note that you
can set up Cassatt Active Response user accounts in your site authentication
system (e.g., LDAP, NIS, or other) prior to installing Cassatt Active Response.
- Add the user ID and password to your authentication system.
If using the Cassatt Active Response native authentication system, add
the user ID and password to the /etc/passwd file
using the standard Linux useradd and passwd commands.
- If using the Cassatt Active Response native authentication, skip this
step. If using your site authentication system, add the
following Cassatt Active Response user accounts:
- admin
- viewer
- cassatt
- ccreport
- If using the Cassatt Active Response native authentication,
skip this step. If using your site authentication system,
set
up Linux-PAM to use that authentication system.
If your Cassatt Active Response environment uses two
control nodes, be sure to configure both nodes:
If using... |
Then... |
Cassatt Active Response native authentication |
Set up users in /etc/passwd on both control
nodes. |
Site authentication
system |
Set up /etc/pam.d/cassatt on
both control nodes. |
This ensures access
is continuous no matter which control node is active.
- Add the user account, role, and status in
the Controller; for assistance, refer to the
online help topic entitled "Users Page."
Once you've added a user in Cassatt Active Response, you can disable, enable,
or delete the user account from Cassatt Active Response. For
more information, refer to the online help topic entitled "Users
Page."
When you delete a user
from Cassatt Active Response, make sure you delete the user from the authentication
system on both control nodes.
Also, if you change a user's
role in the Controller (for example from Admin to
Operator or vice versa), allow a few minutes for Cassatt Active Response
to pick up the change.
top
Conclusion
Linux-PAM provides an extremely flexible user authentication framework for PAM-aware applications like Cassatt Active Response. Using Linux-PAM, you can make your user authentication scheme for Cassatt Active Response as complex as your site requires, or as simple as using the /etc/passwd file.
Cassatt Active Response provides two default user accounts: the admin account
has read/write privileges and the operator account has read-only
privileges. Cassatt Active Response also creates two system-level user accounts,
cassatt and ccreport, which are used by the software to
carry out various system operations. Once users exist in
your authentication system, you can add, delete, enable,
or disable those user accounts to/from Cassatt Active Response within the
Controller.
top
Was this article useful? Tell us what you think.
Email infocentral@cassatt.com.
|
