Advanced Server Configuration: PAM Authentication

PAM Authentication for HylaFAX.

HylaFAX has supported PAM authentication since version 4.2.0. To use PAM authentication, HylaFAX must have been compiled with PAM support. PAM support is automaticaly turned on by configure if it can find the PAM libraries. If you are unsure if hfaxd supports PAM, you can run the following command:

ldd /usr/sbin/hfaxd

If a line similar to:

libpam.so.0 => /lib/libpam.so.0 (0xb7f02000)

is in the library listing, PAM support has been compiled in. If not, you will have to recompile HylaFAX with PAM support.

The RedHat/Fedora HylaFAX packages distributed on HylaFAX.org are compiled with PAM support. All you need to do to use it is to create a file named /etc/pam.d/hylafax with settings for auth and account. A sample file looks like this:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

The HylaFAX package distributed by Debian is already compiled with PAM support. In order to use it with the default PAM configuration, the file /etc/pam.d/hylafax must be created with the following content:

@include common-auth
@include common-account
@include common-password
@include common-session

Once PAM has been configured, all connections to hfaxd will require a valid local user and password. Localhost connections are not exempted from this and HylaFAX utils (sendfax, faxstat, …) run on the local machine will also require the password of the current user.

LDAP

To use LDAP as the source of authentication your configuration file /etc/pam.d/hylafax would look like:

auth            required        pam_ldap.so
account         required        pam_ldap.so
session         required        pam_ldap.so

On Debian GNU/Linux systems the necessary library is provided by the package libpam-ldap. To establish a connection to the LDAP server the file /etc/pam_ldap.conf has to be configured. Here is an example configuration to connect to Microsoft Active Directory (with SSL support and fallback to a second domain controller):

base dc=domain,dc=local
uri ldaps://dc01.domain.local/ ldaps://dc02.domain.local/
ldap_version 3
binddn auth_ldap_user@domain.local
bindpw password
rootbinddn auth_ldap_user@domain.local
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password crypt
tls_cacertfile /etc/ssl/certs/domain.cer