Authenticating with PAM

To configure AEN to authenticate with PAM, you need to have LDAP in place and pre-populated with your users. With LDAP, pam does not require to read /etc/shadow and it can authenticate successfully without root priviledges.

NOTE: PAM on the linux machine needs to be tied to LDAP (pam_ldap). You cannot use PAM with local unix accounts because /etc/shadow is only readable by the root user, but pam_ldap can authenticated against LDAP (non-root).

Steps

  1. Stop the wakari server:
sudo service wakari-server stop
  1. update the configuration file /opt/wakari/wakari-server/etc/wakari/wk-server-config.json with the PAM authentication method. Change the entry for the line "accounts": with:
"accounts": "wk_server.plugins.accounts.pam",
  1. Restart the wakari server:
sudo service wakari-server start
  1. In your browser navigate to Anaconda Enterprise Notebooks and attempt to login as a PAM-based user – create and start a project, then open a Jupyter Notebook.
  2. Logout then login as an administrator and go to the Admin view. Attempt to list users.

Testing

You can test PAM directly from the Python CLI

su - $AEN_USER/opt/wakari/wakari-server/bin/python
p = pam.pam()
p.authenticate("<username>", "<password>")
True

Troubleshooting

If the server throws an import error for the pam module, please make sure that the python-pam==1.8.2 module is installed. If the .condarc file includes the wakari channel then python-pam==1.8.2 will be installed automatically.