I have written a PAM (Pluggable Authentication Module) for our WIBS booking
system that talks SOAP to carry out authentication, and I would love to
hear from someone who has worked with PAM and the Linux Terminal Server
Project (LTSP) to get some pointers on configuration. By default, PAM is
configured on most Red Hat machines as something like:
 
#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
 
In order to use custom authentication, I changed the settings to the
following:
 
auth   required  /wibs/pam_wibs.so url=http://wibshost:8080/wibssoap station=TEST01 userid=arhyno # all one line
auth       required     pam_securetty.so
auth       required     pam_nologin.so
account    required     /lib/security/pam_unix.so use_first_pass use_authtok debug
password   required     /lib/security/pam_unix.so use_first_pass use_authtok debug
session    required     /lib/security/pam_unix.so
session    optional     pam_console.so
 
This seems to do everything I want, the custom authentication is handled by
the pam_wibs plugin, while the session itself is assigned the permissions
of the user identified by the "userid=" parameter (the authentication is
based on barcode so the stations need to pick up user permissions rather
than creating a userid for every patron). However, this is for a regular login,
and I suspect sites that use LTSP have implemented PAM to plug in their
own authentication. We have a batch of old javastations that can talk to
our linux servers but it's hard to extrapolate from that somewhat peculiar
setup to how it should work with LTSP. I would also be super-interested if
anyone has used PAM as an alternative login mechanism for OS/X, it is
supported but seems to require some special configuration.
 
art