1 kumpf 1.1.4.2
2 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
4 <Pegasus/Common/Constants.h>
5
6 2. All files but the repository are owned by root. The cimservermain
7 process may read the root owned files, but it must ask the executor
8 to modify them.
9
|
10 mike 1.1.4.3 3. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
|
11 kumpf 1.1.4.2
|
12 mike 1.1.4.3 4. The executor now detects whether the CIM server is already running.
|
13 kumpf 1.1.4.2
|
14 mike 1.1.4.3 5. For logging purposes, the executor uses "cimserver" as its syslog
|
15 kumpf 1.1.4.2 identifier.
16
|
17 mike 1.1.4.3 6. Setting up PAM authentiction (non-standalone).
|
18 kumpf 1.1.4.2
19 First compile with PEGASUS_PAM_AUTHENTICATION.
20
21 Next install the PAM configuration file.
22
23 % cd $PEGASUS_ROOT
24 % cp rpm/wbem /etc/pam.d
25 % chmod 0644 /etc/pam.d/wbem
26
|
27 mike 1.1.4.3 7. To build for standalone PAM authentication, compile with these:
|
28 kumpf 1.1.4.2
29 PEGASUS_PAM_AUTHENTICATION
30 PEGASUS_USE_PAM_STANDALONE_PROC
31
|
32 mike 1.1.4.3 8. To run cimserver to use PAM, use these configuration parameters.
|
33 kumpf 1.1.4.2
34 enableAuthentication=true
35
|
36 mike 1.1.4.3 9. To build SSL support, compile with these.
|
37 kumpf 1.1.4.2
38 OPENSSL_HOME=/usr
39 PEGASUS_HAS_SSL=true
40
|
41 mike 1.1.4.3 10. To run cimerver to use SSL, use these configuration parameters.
|
42 kumpf 1.1.4.2
43 enableHttpsConnection=true
44 enableAuthentication=true
45 sslClientVerificationMode=optional
46 sslTrustStoreUserName=root
47
|
48 mike 1.1.4.3 11. To add a user to cimserver.passwd, use the following format (the given
|
49 kumpf 1.1.4.2 user must be a real system user).
50
51 jsmith:AB5bZ.JX9fQzA
52
53 Use the following program to generate the password (at least on
54 Linux).
55
56 #define _XOPEN_SOURCE
57 #include <unistd.h>
58 #include <stdio.h>
59
60 int main()
61 {
62 printf("%s\n", crypt("changeme", "AB"));
63 return 0;
64 }
65
66 Compile and link the program as follows.
67
68 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
69
|
70 mike 1.1.4.3 12. The KerberosAuthenticationHandler.h and all Kerberos authentication
|
71 kumpf 1.1.4.2 logic is not part of the Pegasus repository.
72
|
73 mike 1.1.4.3 13. The following authentication schemes were rewritten and are now
|
74 kumpf 1.1.4.2 part of the executor.
75
76 - PAM Basic Authentication
77 - PAM Basic Authentication, using cimservera program.
78 - Secure Local Authenticaiton
79 - Secure Basic (uses cimserver.passwd file).
80
81 The following authentication schemes still reside in cimservermain.
82
83 - SSL peer authentication
84 - Kerberos (source not available to Pegasus).
85
|
86 mike 1.1.4.3 14. Note that using "secure basic" authentication and "SSL peer
|
87 kumpf 1.1.4.2 authentication" togehter breaks the end-to-end tests (validate
88 user fails since the user is not in the cimserver.passwd file).
89
|
90 mike 1.1.4.3 15. The install script is responsible for propertly setting ownership
91 of all files (including the Pegasus repository).
92
|
93 kumpf 1.1.4.2
|