If you are using LDAP-based account management, enterprise users can configure their on-premises Backtrace instances to authenticate to their LDAP server via PAM.

Creating an LDAP pseudouser

You will need to have a pseudouser available for coronerd to bind to the LDAP service and perform searches of its directory. Please contact your LDAP administrator for assistance here. 

Install and configure PAM 

PAM is used by coronerd to integrate into your LDAP service. 

CentOS / RHEL

Install the following packages:

  • pam 
  • pam_ldap 

Ubuntu / Debian

Install the following packages:

  • libpam0g 
  • libpam-ldap 

Configure PAM to connect via your pseudouser

Place the following contents into /etc/pam_ldap.conf . Note you’ll need to replace uid and bindpw to your pseudouser’s credentials accordingly. 

host ldap.mydomain.com
base dc=mydomain,dc=com
binddn uid=app_backtraceio,ou=pseudousers,dc=mydomain,dc=com
bindpw Password1234!
ssl start_tls 

Allow for coronerd to use PAM

Place the following contents into /etc/pam.d/coronerd 

auth        include     system-auth
account     sufficient  pam_ldap.so
account     include     system-auth
password    sufficient  pam_ldap.so
password    include     system-auth
session     sufficient  pam_ldap.so
session     include     system-auth

Whitelist PAM Users

Go to Configure Organization and select Users under Universe Settings, Under the Whitelisted Domains tab, select from which domains people are allowed to sign themselves up, as well as the default authentication method, select PAM there

See User Management for more information.

User Invitations

At this point, users should be able to use the invites page to create themselves an account, with their password coming from LDAP.  Make sure SMTP is properly configured in order for them to receive the invitation emails.

See Coronerd Setup for more information on the SMTP config.

Troubleshooting

If authentication fails (bad password when attempting to log into the UI) check the following PAM files to see if the following lines have been configured.  This is verified to be needed under CentOS 7.

/etc/nslcd.conf 

uri ldap://ds.mydomain.com:389/base uid=mydomain,dc=com
binddn cn=app_backtraceio,ou=pseudousers,dc=mydomain,dc=com
bindpw *******

/etc/nsswitch.conf 

passwd:     files ldap
shadow:     files ldap
group:      files ldap

/etc/pam.d/system-auth-ac

auth        sufficient    pam_ldap.so minimum_uid=1000 use_first_pass
account     required      pam_ldap.so minimum_uid=1000
password    sufficient    pam_ldap.so minimum_uid=1000 try_first_pass
session     required      pam_ldap.so minimum_uid=1000
Did this answer your question?