UNAB integrates with the RSA SecurID by leveraging PAM stack capabilities. PAM stack capabilities allow you to set which authentication program to use for users authentication during the login process and the order in which the authentication occurs.
The following process explains UNAB integration with RSA SecurID:
Using RSA SecurID authentication and UNAB authentication:
Example: Using RSA SecurID authentication in Red Hat Advanced Server 5.3
The following snippet from the /etc/pam.d/system-auth file indicates that users authentication to the Red Hat Linux Advanced Server 5.3 is done by RSA SecurID only:
auth required pam_securid.so
Example: Using RSA SecurID, local UNIX and UNAB authentication in Red Hat Linux Advanced Server 5.3
The following snippet from the /etc/pam.d/system-auth file indicates that users authentication to the Red Hat Linux Advanced Server 5.3 is done by RSA SecurdID, local UNIX and UNAB:
auth sufficient pam_securid.so auth sufficient pam_unix.so auth sufficient pam_uxauth.so
In this example the /etc/pam.d/system-auth file is configured to call the RSA SecurID (pam_securid.so) module to attempts and authenticate the user credentials. If unsuccessful, the local UNIX PAM module (pam_unix.so) attempts to authenticate the user credentials. If unsuccessful, the UNAB PAM stack module (pam_uxauth.so) attempts to authenticate the user credentials. In this example, when the UNAB PAM module attempts to authenticate the user credentials, UNAB does not prompt the user for a password. The local UNIX PAM module provides the UNAB PAM stack module with the password.
Note: The authentication process can end with either of the PAM stack modules.
Example: Using UNAB authentication and RSA SecurID authentication in Red Hat Advanced Server 5.3
The following snippet from the /etc/pam.d/system-auth file indicates that users authentication to the Red Hat Advanced Server 5.3 is done using UNAB authentication and RSA SecurID authentication:
auth optional pam_unix.so auth sufficient pam_uxauth.so auth sufficient pam_securid.so
In this example the /etc/pam.d/system-auth file is configured to use the UNAB PAM stack (pam_uxauthd.so) to attempt and authenticate the user Active Directory credentials before using the RSA SecurID PAM stack (pam_securid.so) to authenticate the user passcode. The local UNIX PAM stack module (pam_unix.so) is set to optional. This indicates that the local UNIX PAM stack does not authenticate the user but rather prompts the user for password and forwards the password to the PAM stack.
Note: In this example the authentication process can end with either the RSA SecurID or UNAB modules successful authentication without using local UNIX authentication.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|