Authenticating with PAM#
To configure AEN to authenticate with PAM, you need to have LDAP in place and pre-populated with your users. With LDAP, pam does not require to read /etc/shadow and it can authenticate successfully without root privileges.
NOTE: PAM on the linux machine needs to be tied to LDAP (pam_ldap). You cannot use PAM with local unix accounts because /etc/shadow is only readable by the root user, but pam_ldap can authenticated against LDAP (non-root).
Steps#
Stop the wakari server:
sudo service wakari-server stop
update the configuration file
/opt/wakari/wakari-server/etc/wakari/wk-server-config.json
with the PAM authentication method. Change the entry for the line"accounts":
with:
"accounts": "wk_server.plugins.accounts.pam",
Restart the wakari server:
sudo service wakari-server start
In your browser navigate to Anaconda Enterprise Notebooks and attempt to login as a PAM-based user – create and start a project, then open a Jupyter Notebook.
Logout then login as an administrator and go to the Admin view. Attempt to list users.
Testing#
You can test PAM directly from the Python CLI
su - $AEN_USER/opt/wakari/wakari-server/bin/python
p = pam.pam()
p.authenticate("<username>", "<password>")
True
Troubleshooting#
If the server throws an import error
for the pam module, please make sure that the python-pam==1.8.2
module is installed. If the .condarc
file includes the wakari
channel then python-pam==1.8.2
will be installed automatically.