Autres/Rivendellaudio
1
0
Fork 0
mirror of https://github.com/ElvishArtisan/rivendell.git synced 2025-04-10 23:02:20 +02:00
Code Issues Projects Releases Wiki Activity
Rivendellaudio/docs/misc/pam_rd.txt
Fred Gleason 1e0c305276 2017-11-07 Fred Gleason <fredg@paravelsystems.com> 
* Removed 'docs/NOW+NEXT.txt'.
	* Removed 'docs/WIN32.txt'.
	* Removed 'docs/copy_split_format.odt'.
	* Moved remaining unformatted notes to 'docs/misc/.
2017-11-07 07:43:59 -05:00

63 lines
3.0 KiB
Plaintext
Raw Blame History

PAM and multi-user support in Rivendell
In order to support a multi-user environment, the PAM (Pluggable
Authentication Module) infrastructure is used to activate a Rivendell
user.
First of all, a distinction should be made between *nix user accounts
and Rivendell user accounts. The former are accounts used by the
operating system; they may be local accounts in the /etc/passwd file
or they may be centraly administered accounts such as in an LDAP
server. The Rivendell user accounts are used only within the
Rivendell system and are stored within the Rivendell SQL database.
Rivendell users can be used to distinguish what groups of audio a user
can create or delete within Rivendell.
For the multi-user Rivendell environment, users should each have a
unique *nix system account and a matching Rivendell account. The *nix
user accounts should be members of a "rivendell" *nix system group and
also any group required to access audio hardware devices (ex: the
"audio" group on a debian system). The files in the Rivendell system
(/var/snd, PID files, log files) will be owned by "foouser.rivendell"
with appropiate group writable permissions. Commands to create the
*nix accounts are:
adduser foouser # create a new *nix user called foouser
adduser foouser rivendell # add foouser to the rivendll *nix group
adduser foouser audio # add foouser to the audio *nix group
Rivendell user accounts can be added with the "rdadmin" utility.
Instead of requiring users to log in multiple times (once for their
*nix account and again for their Rivendell account), the pam_rd module
allows for the Rivendell user to be set during the authentication
process of PAM.
Options the pam_rd module recognizes include:
debug - to increase logging to syslog
use_first_pass - to use only the first password entered by the
try_first_pass - to try the first password, and if that is not
found succeed prompt the user to enter their
password.
kill_rd_daemons - kill any previously running rivendell daemons
(caed, ripcd, rdcatchd)
destroy_shm - destroy and release the rivendell shared memory
segment, id "0x5005
ignore_pass - log a valid Rivendell user account into Rivendell,
ignoring any password check. the idea is to "trust"
the network logon credentials and ignore the
rivendell credentials
fail_default_user - if a corresponding Rivendell user account is not found
or if the entered password does not authenticate a
Rivendell user, the Rivendell user account is set to
the the user specified by this option (defaults to
"user").
We have had success tying the pam_rd module into the "kdm" PAM module.
The following entry was added as the last "auth" entry for "kdm" in
/etc/pam.d/kdm:
auth required pam_rd.so debug kill_rd_daemons destroy_shm ignore_pass fail_default_user=user
Reference in New Issue View Git Blame Copy Permalink