How do I set up MWS to authenticate to PAM


Here are steps that explain how to switch MWS from using LDAP authentication to PAM authentication.

First stop Tomcat

#############################
[root]# systemctl stop tomcat

#############################

Then figure out where the tomcat service file is located. To do this run the following

#############################
[root]# systemctl status tomcat
tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/usr/lib/systemd/system/tomcat.service; ...

#############################

Now edit the service file and configure tomcat to run as the root user instead of the tomcat user

#############################
[root]# vim /usr/lib/systemd/system/tomcat.service
...
User=root
...

#############################


Next edit the MWS configuration file and tell MWS to connect to the operating system PAM module instead of directly to the LDAP server.

#############################
[root]# cd /opt/mws/etc
[root]# vim mws-config.groovy

#############################

Comment out ALL of the lines that start with ldap by prepending them with a // as shown below. Make sure you comment them all out. If you miss one MWS will try to contact LDAP directly instead of PAM.

#############################
//ldap.server = ...
//ldap.port = ...
//ldap.baseDNs = ...
//ldap.bindUser = ...
//ldap.password = ...
//ldap.directory.type = ...

#############################

Add a line that tells MWS to connect to the PAM login module in the operating system.

#############################
pam.configuration.service = "login"

#############################


Save this file and reload the services files

#############################
[root]# systemctl daemon-reload

#############################


Now restart tomcat.

#############################
[root]# systemctl restart tomcat

#############################

Make sure tomcat is running as the root user (not the tomcat user)

#############################
[root]# ps -ef | grep tomcat | grep MWS
root 2827 1 99 17:37 ? 00:01:39 /usr/java/latest/bin/java -DMWS_HOME=/opt/mws ...

#############################

Open the MWS health page in a web browser (e.g. http://localhost:8080/mws ) and make sure the green/red dot for LDAP is no longer visible. In its place should be a green dot labeled PAM probably right between the dots for "ZeroMQ Message Queue" and "Insight Server". If you still seen a LDAP dot you probably forgot to comment out an ldap line in the mws-config.groovy.

Now try to log into Viewpoint as a user that exists on the operating system (but not "root").

Last update:
2020-07-30 19:55
Author:
Nate Seeley
Revision:
1.1
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.