Handbook:Advanced Server Configuration:PAM Authentication

HylaFAX has supported PAM authentication since version 4.2.0. To use PAM authentication, HylaFAX must have been compiled with PAM support. PAM support is automaticaly turned on by configure if it can find the PAM libraries. If you are unsure if hfaxd supports PAM, you can run the following command:

ldd /usr/sbin/hfaxd

If a line similar to libpam.so.0 => /lib/libpam.so.0 (0xb7f02000) is in the library listing, PAM support has been compiled in. If not, you will have to recompile HylaFAX with PAM support.

The RedHat/Fedora HylaFAX packages distributed on HylaFAX.org are compiled with PAM support. All you need to do to use it is to create a file named /etc/pam.d/hylafax with settings for auth and account. A sample file looks like this:

auth      required     pam_stack.so service=system-auth account   required     pam_stack.so service=system-auth session   required     pam_stack.so service=system-auth
 * 1) %PAM-1.0

The HylaFAX package distributed by Debian is already compiled with PAM support. In order to use it with the default PAM configuration, the file /etc/pam.d/hylafax must be created with the following content:

@include common-auth @include common-account @include common-password @include common-session

Once PAM has been configured, all connections to hfaxd will require a valid local user and password. Localhost connections are not exempted from this and HylaFAX utils (sendfax, faxstat, ...) run on the local machine will also require the password of the current user.

LDAP
To use LDAP as the source of authentication your configuration file /etc/pam.d/hylafax would look like:

auth           required        pam_ldap.so account         required        pam_ldap.so session         required        pam_ldap.so

On Debian GNU/Linux systems the necessary library is provided by the package libpam-ldap. To establish a connection to the LDAP server the file /etc/pam_ldap.conf has to be configured. Here is an example configuration to connect to Microsoft Active Directory (with SSL support and fallback to a second domain controller):

base dc=domain,dc=local uri ldaps://dc01.domain.local/ ldaps://dc02.domain.local/ ldap_version 3 binddn auth_ldap_user@domain.local bindpw password rootbinddn auth_ldap_user@domain.local pam_filter objectclass=user pam_login_attribute sAMAccountName pam_password crypt tls_cacertfile /etc/ssl/certs/domain.cer