External Authentication
FMOS supports authenticating users against several common types of external authentication servers, including Kerberos and LDAP. As with other features of FMOS, external authentication is configured by setting the appropriate configuration variables. Ideally, enabling external authentication is as simple as setting the appropriate type_authn or type_authz variables to true, but most environments will require additional configuration.
This topic attempts to describe how to best configure FMOS to use one or more external authentication mechanisms to delegate user credential management to a remote service.
Many authentication settings can be set from the FMOS Control Panel.
Authentication versus Authorization
The Linux log in process consists of two phases, identity mapping (referred to as “Authorization”) and password verification (referred to as “Authentication”).
Authentication is handled by PAM and authorization by the Name Service Switch. By default, both phases are performed using local UNIX authentication, with users, groups, and passwords all kept locally in plain-text files. FMOS requires local UNIX authentication be used for at least one account. This allows an administrator to log in even in the event of a failure of all external authentication providers.
FMOS provides several options for both phases, and supports practically any combination of them:
Authorization
- Local UNIX authentication
- LDAP
Authentication
- Local UNIX authentication
- LDAP
- Kerberos
Not all external authentication mechanisms provide identity mapping (UID lookup and group membership resolution) capabilities, so they must be used in tandem with ones that do. For example, it is common to use LDAP for authorization and Kerberos for authentication. Alternatively, identity mapping can be handled by local UNIX authentication in all cases, even if it is not used for password verification.
When using an external authentication method, FMOS does not enforce any password policy (such as length and complexity requirements, expiration, etc.), but relies on the external authentication server to provide this feature. Additionally, FMOS does not support changing of external passwords.