Advanced Server Configuration: PAM Authentication
PAM Authentication for HylaFAX.HylaFAX has supported PAM authentication since version 4.2.0. To use PAM authentication, HylaFAX must have been compiled with PAM support. PAM support is automaticaly turned on by configure if it can find the PAM libraries. If you are unsure if hfaxd supports PAM, you can run the following command:
ldd /usr/sbin/hfaxd
If a line similar to:
libpam.so.0 => /lib/libpam.so.0 (0xb7f02000)
is in the library listing, PAM support has been compiled in. If not, you will have to recompile HylaFAX with PAM support.
The RedHat/Fedora HylaFAX packages distributed on HylaFAX.org are compiled with PAM support. All you need to do to use it is to create a file named /etc/pam.d/hylafax with settings for auth and account. A sample file looks like this:
#%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
The HylaFAX package distributed by Debian is already compiled with PAM support. In order to use it with the default PAM configuration, the file /etc/pam.d/hylafax must be created with the following content:
@include common-auth @include common-account @include common-password @include common-session
Once PAM has been configured, all connections to hfaxd will require a valid local user and password. Localhost connections are not exempted from this and HylaFAX utils (sendfax, faxstat, …) run on the local machine will also require the password of the current user.
LDAP
To use LDAP as the source of authentication your configuration file /etc/pam.d/hylafax would look like:
auth required pam_ldap.so account required pam_ldap.so session required pam_ldap.so
On Debian GNU/Linux systems the necessary library is provided by the package libpam-ldap. To establish a connection to the LDAP server the file /etc/pam_ldap.conf has to be configured. Here is an example configuration to connect to Microsoft Active Directory (with SSL support and fallback to a second domain controller):
base dc=domain,dc=local uri ldaps://dc01.domain.local/ ldaps://dc02.domain.local/ ldap_version 3 binddn auth_ldap_user@domain.local bindpw password rootbinddn auth_ldap_user@domain.local pam_filter objectclass=user pam_login_attribute sAMAccountName pam_password crypt tls_cacertfile /etc/ssl/certs/domain.cer