Pluggable Authentication Modules (PAM) support
In order to get jabberd authenticate users via PAM you need to ./configure --enable-pam and configure PAM section in c2s.xml.
Jabberd uses /etc/pam.d/jabberd service with PAM authentication backend.
If you do authentication via /etc/shadow passwords, c2s needs to run as root to get access to shadow file. If you do not want that, you may alternatively use ./configure --enable-pipe with jabberd-authpipe-pam.pl script running as root.
Most PAM mechanizms store passwords in hashed format, so c2s needs to get plaintext passwords from users, to recreate the hash for comparison. You need to disable all non plain auth mechanizms in c2s.xml, leaving only <plain/> in traditional and SASL sections.
Checklist
- --enable-pam + c2s running as root
- --enable-pipe + jabberd-authpipe-pam.pl running as root
- only <plain/> authentication enabled in c2s.xml
- proper PAM modules configured in /etc/pam.d/jabberd
Realm
c2s.local.id attribute realm is used to configure how jabberd creates usernames for PAM authentication
<id realm='some.org'>localhost</id>
- no realm defined - the domainname is attached to username, resulting: username@localhost
- realm defined - the realm is attached to username, resulting: username@some.org
- empty realm "" defined - nothing is attached tu username, resulting: username
You may refer #17 to see the change history.
Attachments
- jabberd-authpipe-pam-0.1.pl (5.2 KB) - added by smoku 19 months ago.
