Authors: Andreas Klenk, Tobias Heide
Documentation: Tobias Heide
Supported by: Universität Tübingen and Technische Universität München
About this document_________________________ 1
Installation of SimplePDP_____________________ 1
See it work..._______________________________ 2
Further steps_______________________________ 2
Write your own policy 2
Read the documentation of pam_xacml 2
Read the source of pamxacml_test 2
Contribute to pam_xacml 2
1.About this document
This document will give you a very short instruction, how to get pam_xacml running on a Linux system. If you need further assistance, please refer to the documentation of pam_xacml.
To gain full benefit of pam_xacml you will need to install a Policy Decision Point (PDP). There are some provided with pam_xacml, just refer to section four for an example.
On a clean Debian or Ubuntu installation, you would issue the following command:
Then download gSOAP:
When done installing gSOAP you can progress with the download of pam_xacml.
Afterwards, install pam_xacml:
Copy the file pamxacml_test from the dist/pam.d directory of the pam_xacml distribution to /etc/pam.d:
Afterwards edit /etc/pam.d/pamxacml_test and comment out the very last line.
Download JAXP_14_FCS from (sorry no direct link because of licensing issues) https://jaxp.dev.java.net/1.4/binaryDrops.html and place it in the directory PDP/SimplePDP/lib within pam_xacml. Then
Now install java:
If you get error messages, make sure you placed the libraries into the correct directories.
Now it‘s time to see pam_xacml work. Open up another console to start the provided PDP (called SimplePDP, located in PDP/SimplePDP within your pam_xacml distribution):
You can now go back to your other console and change into the subdirectory tests/ of the distribution. Then call the program „pamxacml_test“:
The output of the program should look as follows:
You will find some debug information in your system logs. If you want to switch that off, just disable the debug flag in the PAM-configuration of pamxacml_test.
The policy which SimplePDP uses when it comes with the distribution is located under PDP/SimplePDP/xacmlpolicy/obligationtest.xml. You can change the to any other file by editing the file called xacmlConfig.xml located in the SimplePDP-directory. Write your own policies to get started with XACML.
You will get a better understanding how you can configure pam_xacml to work in different scenarios. Also you will learn, what different kinds of PDPs pam_xacml can address.
Especially, have a look at the template request builder, which will help you to provide applications with XACML ablities, that don‘t know anything about it (they still have to use PAM, though).
Adopt your applications to make use of pam_xacml
It is easy to use pam_xacml from within your application. Please note tough, that pam_xacml is currently in an early alpha state and not suitable for production systems. To get more information about how to integrate PAM and pam_xacml within your application, refer to the PAM developer documents and to the pam_xacml developer handbook.
It will give you a glimpse how to write your own applications that gain from using pam_xacml
Help us making pam_xacml better by providing bug reports or contributions to the source code.