Pluggable Authentication Modules
Pluggable Authentication Modules (PAM) is an authentication framework used by Linux and other operating systems. It enables you to integrate multiple low-level authentication schemes into a high-level application programming interface (API). Starting from version 4.6, the Enterprise Edition of Couchbase Server supports administrator authentication using PAM.
- External authentication: PAM support enables Linux administrator accounts defined in/etc/shadow to be used in Couchbase Server.
- Password policy management: PAM enables you to easily control password expiration rules, and synchronize administrator passwords on all servers through Linux password management.
Getting Started with PAM Authentication
Linux Password Authentication Using PAM
The following walks through a sample authentication scenario which uses PAM only to check Linux user login names and passwords. Every administrator permitted to connect to Couchbase Server should have a Linux user account that is mapped to an administrator role in Couchbase Server. You'll need root access to perform the following tasks.
- Install the saslauthd library for your Linux distribution, if it is not already installed, version 2.1.x or above is required.
$ yum install cyrus-sasl
$ apt-get install sasl2-bin
- If running on Ubuntu/Debian, ensure that the couchbase user is in the sasl group to allow access to saslauthd.
$ usermod -aG sasl couchbase
- In the saslauthd config file, verify that saslauthd is set up to use PAM.
If the above command does not return that MECH is set to pam then adjust the parameter in the config file accordingly.
$ grep "MECH" /etc/sysconfig/saslauthd MECH=pamUbuntu/Debian
$ grep 'MECHANISMS' /etc/default/saslauthd MECHANISMS="pam"
If the above command does not return that MECHANISMS is set to "pam" then adjust the parameter in the config file accordingly.
- Set up PAM to authenticate the Couchbase service by creating a file named /etc/pam.d/couchbase. As Linux users are supported, copy /etc/pam.d/passwd to /etc/pam.d/couchbase.
$ cp /etc/pam.d/passwd /etc/pam.d/couchbase
- Test that Linux authentication permits you to log in. For example, use user name: don and password: secretpa$$. You can execute this step with any other Linux credentials as well, if the user already exists then there is no need to perform the following step.
To create a Linux user and set password, you can use the following commands:
$ useradd don $ passwd don
- Map the Linux login name (user name) to one or many Couchbase Server administrator roles.
- Re-start the SASL service for PAM authentication to take effect.
$ service saslauthd restart
- Restart the Couchbase service for external authentication through PAM to take effect.
$ service couchbase-server restart
- Try connecting using the Linux user credentials created earlier, don/secretpa$$.
Couchbase Server should permit the connection, and once authenticated, the privileges of that user in Couchbase Server should be as per the role mapping.