If you are using LDAP-based account management, enterprise users can configure their on-premises Backtrace instances to authenticate to their LDAP server via PAM.
Creating an LDAP pseudouser
You will need to have a pseudouser available for coronerd to bind to the LDAP service and perform searches of its directory. Please contact your LDAP administrator for assistance here.
Install and configure PAM
PAM is used by coronerd to integrate into your LDAP service.
CentOS / RHEL
Install the following packages:
- pam
- pam_ldap
Ubuntu / Debian
Install the following packages:
- libpam0g
- libpam-ldap
Configure PAM to connect via your pseudouser
Place the following contents into /etc/pam_ldap.conf
. Note you’ll need to replace uid and bindpw to your pseudouser’s credentials accordingly.
host ldap.mydomain.com
base dc=mydomain,dc=com
binddn uid=app_backtraceio,ou=pseudousers,dc=mydomain,dc=com
bindpw Password1234!
ssl start_tls
Allow for coronerd to use PAM
Place the following contents into /etc/pam.d/coronerd
auth include system-auth
account sufficient pam_ldap.so
account include system-auth
password sufficient pam_ldap.so
password include system-auth
session sufficient pam_ldap.so
session include system-auth
Whitelist PAM Users
Go to Configure Organization and select Users under Universe Settings, Under the Whitelisted Domains tab, select from which domains people are allowed to sign themselves up, as well as the default authentication method, select PAM there
See User Management for more information.
User Invitations
At this point, users should be able to use the invites page to create themselves an account, with their password coming from LDAP. Make sure SMTP is properly configured in order for them to receive the invitation emails.
See Coronerd Setup for more information on the SMTP config.
Troubleshooting
If authentication fails (bad password when attempting to log into the UI) check the following PAM files to see if the following lines have been configured. This is verified to be needed under CentOS 7.
/etc/nslcd.conf
uri ldap://ds.mydomain.com:389/base uid=mydomain,dc=com
binddn cn=app_backtraceio,ou=pseudousers,dc=mydomain,dc=com
bindpw *******
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
/etc/pam.d/system-auth-ac
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
account required pam_ldap.so minimum_uid=1000
password sufficient pam_ldap.so minimum_uid=1000 try_first_pass
session required pam_ldap.so minimum_uid=1000