Authenticating with PAM#

To configure AEN to authenticate with PAM, you need to have LDAP in place and pre-populated with your users. With LDAP, pam does not require to read /etc/shadow and it can authenticate successfully without root privileges.

NOTE: PAM on the linux machine needs to be tied to LDAP (pam_ldap). You cannot use PAM with local unix accounts because /etc/shadow is only readable by the root user, but pam_ldap can authenticated against LDAP (non-root).

Steps#

  1. Stop the wakari server:

    sudo service wakari-server stop
    
  2. update the configuration file /opt/wakari/wakari-server/etc/wakari/wk-server-config.json with the PAM authentication method. Change the entry for the line "accounts": with:

    "accounts": "wk_server.plugins.accounts.pam",
    
  3. Restart the wakari server:

    sudo service wakari-server start
    
  4. In your browser navigate to Anaconda Enterprise Notebooks and attempt to login as a PAM-based user – create and start a project, then open a Jupyter Notebook.

  5. Logout then login as an administrator and go to the Admin view. Attempt to list users.

Testing#

You can test PAM directly from the Python CLI

su - $AEN_USER/opt/wakari/wakari-server/bin/python
p = pam.pam()
p.authenticate("<username>", "<password>")
True

Troubleshooting#

If the server throws an import error for the pam module, please make sure that the python-pam==1.8.2 module is installed. If the .condarc file includes the wakari channel then python-pam==1.8.2 will be installed automatically.