If you are using LDAP-based account management, enterprise users can configure their on-premises Backtrace instances to authenticate to their LDAP server via PAM.

Creating an LDAP pseudouser

You will need to have a pseudouser available for coronerd to bind to the LDAP service and perform searches of its directory. Please contact your LDAP administrator for assistance here. 

Install and configure PAM 

PAM is used by coronerd to integrate into your LDAP service. 

CentOS / RHEL

Install the following packages:

• pam 
• pam_ldap 

Ubuntu / Debian

Install the following packages:

• libpam0g 
• libpam-ldap 

Configure PAM to connect via your pseudouser

Place the following contents into /etc/pam_ldap.conf . Note you’ll need to replace uid and bindpw to your pseudouser’s credentials accordingly. 

Allow for coronerd to use PAM

Place the following contents into /etc/pam.d/coronerd 

Whitelist PAM Users

Go to Configure Organization and select Users under Universe Settings, Under the Whitelisted Domains tab, select from which domains people are allowed to sign themselves up, as well as the default authentication method, select PAM there

See User Management for more information.

User Invitations

At this point, users should be able to use the invites page to create themselves an account, with their password coming from LDAP.  Make sure SMTP is properly configured in order for them to receive the invitation emails.

See Coronerd Setup for more information on the SMTP config.

Troubleshooting

If authentication fails (bad password when attempting to log into the UI) check the following PAM files to see if the following lines have been configured.  This is verified to be needed under CentOS 7.

/etc/nslcd.conf 

/etc/nsswitch.conf 

/etc/pam.d/system-auth-ac