Can OOD auth be handled by PAM?


We are trying to deploy OpenOnDemand on our HPC at the University of Oregon (UO), but we are stuck on user authentication. We have a local LDAP server that handles all user accounts, but password authentication happens in one of two ways: 1) users with UO accounts which are authenticated to a central UO Active Directory server via Kerberos, and 2) external collaborators who do not have UO accounts are authenticated to our local LDAP server. This situation is properly handled by our PAM configuration. Is it possible to configure the OOD portal to hand off authentication to PAM? If so, how is this done? If not, are there any alternatives to handle this scenario?


Robert Yelle
University of Oregon

Dear Robert,

We got this working on our cluster (CentOS 6 based) by installing the mod_authnz_external module for apache in combination with pwauth.
see here for more details:
We only found it to be relatively slow compared to the basic authentication.

Jacob Baggerman
Organic Chemistry
Wageningen University

There seems to also be an open source apache httpd module as well now. @ryelle where you able to solve you’re problem?

@Jacob-BM Auth seems to be a real pain point for us. We’d love a small write up of how you folks where able to do it so we can add it to our documentation (or you can submit a PR to our docs directly too).

This how we did it on CentOS 6:

  1. install pw-auth from epel

yum --enablerepo=epel -y install pwauth

  1. Download mod_authnz_external rpm


  1. Unpack the files from the rpm package:

rpm2cpio mod_authnz_external-3.3.1-7.el7.x86_64.rpm | cpio -idmv

  1. Copy the unpacked files to Apache folders:

cp usr/lib64/httpd/modules/ /opt/rh/httpd24/root/usr/lib64/httpd/modules
cp etc/httpd/conf.d/authnz_external.conf /opt/rh/httpd24/root/etc/httpd/conf.d

  1. Modify /etc/ood/config/ood_portal.yml

- ‘DefineExternalAuth pwauth pipe /usr/bin/pwauth’

- ‘SSLRequireSSL’
- ‘AuthType Basic’
- ‘AuthName “private”’
- ‘AuthBasicProvider external’
- ‘AuthExternal pwauth’
- ‘RequestHeader unset Authorization’
- ‘require valid-user’

  1. Generate the conf file


  1. Restart Apache

service httpd24-httpd condrestart

Thank you so much! I’ll try to get this added to our documentation so that others will be able to configure PAM more easily.


i’m trying to implement a PAM authentication following this example.

in which section of “ood_portal.yml” do i have to add this :



This line should not be in a specific section. You can add it just before the ‘auth:’ section.

Looks like update_ood_portal may not be recognizing this config. At least on Centos 7. It is just building the ood-portal.conf with AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd".

@jms27000 I’m pretty sure that entry needs to go within the auth bit like this below. I got an error when it was just hanging around in no specific area.

- 'DefineExternalAuth pwauth pipe /usr/bin/pwauth'
- 'SSLRequireSSL'
- 'AuthType Basic'
- 'AuthName "private"'
- 'AuthBasicProvider external'
- 'AuthExternal pwauth'
- 'RequestHeader unset Authorization'
- 'require valid-user'

@m_ludwig do you see any errors? I get this when I try to have that directive not within the auth entry.

(/etc/ood/config/ood_portal.yml): did not find expected '-' indicator while parsing a block collection at line 99 column 1

@jeff.ohrstrom Bad syntax in my ood-portal.yml is why the update script did not notice the change, which led to it not creating a new portal.conf.

Now the issue remains with where to put DefineExternalAuth pwauth pipe /usr/bin/pwauth

Apache does not like it in <location>:

Oct 24 12:41:20 ood httpd-scl-wrapper[44122]: AH00526: Syntax error on line 99 of /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf:
Oct 24 12:41:20 ood httpd-scl-wrapper[44122]: DefineExternalAuth not allowed in <Location> context

but when I put it at the top of ood-portal.conf, it does not seem to see it:

[Thu Oct 24 12:42:17.442257 2019] [authnz_external:error] [pid 44213] [client] Invalid AuthExternal keyword (pwauth)


Ok, I got it.

DefineExternalAuth pwauth pipe /usr/bin/pwauth needs to go just above the first <Location> but after the virtual host and directory stuff. Here is where I have it:

  # Reverse proxy traffic to backend PUNs through Unix domain sockets:
  #     https://localhost:443/pun/dev/app/simulations/1
  #     #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
  SetEnv OOD_PUN_URI "/pun"

DefineExternalAuth pwauth pipe /usr/bin/pwauth
  <Location "/pun">
    AuthType Basic
    AuthName "private"
    AuthBasicProvider external
    AuthExternal pwauth
    RequestHeader unset Authorization
    require valid-user

    ProxyPassReverse "http://localhost/pun"

    # ProxyPassReverseCookieDomain implementation (strip domain)
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation (less restrictive)
    Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"

    SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
    LuaHookFixups pun_proxy.lua pun_proxy_handler



I think the template for the ood-portal.conf needs to get updated to include a check for this. I will see if I can get that figured out.


1 Like

I am not any good at ruby, but here is how you could update the ood_portal_generator:

  1. /opt/ood/ood-portal-generator/templates/ood-portal.conf.erb Line 183:
    <%= @define_authnz %>
    so around it would look like:
 <%- if @pun_uri && @nginx_uri -%>
 # Reverse proxy traffic to backend PUNs through Unix domain sockets:
 #     <%= @ssl ? "https" : "http" %>://<%= @servername || "localhost" %>:<%= @port %><%=   @pun_uri %>/dev/app/simulations/1
  #     #=> unix:/path/to/socket|http://localhost<%= @pun_uri %>/dev/app/simulations/1
  SetEnv OOD_PUN_URI "<%= @pun_uri %>"
<%= @define_authnz %>
  <Location "<%= @pun_uri %>">
    <%- @auth.each do |line| -%>
    <%= line %>
    <%- end -%>
  1. /opt/ood/ood-portal-generator/lib/ood_portal_generator/view.rb line 25:
    @define_authnz = opts.fetch(:define)

  2. /etc/ood/config/od_portal.yml around line 90:

# uncomment if you are using mod_authnz_external
define_authnz: 'DefineExternalAuth pwauth pipe /usr/bin/pwauth'


That would work., though it may be easier for you at your site to just statically add that line to the template.erb itself.

As an aside, can AuthExternal just take 2 arguments like this? Then there’s little need for all the work.

- 'AuthExternal pipe /usr/bin/pwauth'

Apache doesn’t like

'AuthExternal pipe /usr/bin/pwauth'


[Thu Oct 24 14:55:41.780440 2019] [authnz_external:error] [pid 16834] [client] Invalid AuthExternal keyword (pipe)

Looks like AuthExternal doesn’t take args like that.

Hi, everybody and thanks to all to contribute

I have done the mod proposed with one correction on the view.rb file (working with the 1.6.20 OOD version)

  1. /opt/ood/ood-portal-generator/templates/ood-portal.conf.erb Line 183:
    <%= @define_authnz %>
    so around it would look like:
 <%- if @pun_uri && @nginx_uri -%>
 # Reverse proxy traffic to backend PUNs through Unix domain sockets:
 #     <%= @ssl ? "https" : "http" %>://<%= @servername || "localhost" %>:<%= @port %><%=   @pun_uri %>/dev/app/simulations/1
  #     #=> unix:/path/to/socket|http://localhost<%= @pun_uri %>/dev/app/simulations/1
  SetEnv OOD_PUN_URI "<%= @pun_uri %>"
<%= @define_authnz %>
  <Location "<%= @pun_uri %>">
    <%- @auth.each do |line| -%>
    <%= line %>
    <%- end -%>
  1. /opt/ood/ood-portal-generator/lib/ood_portal_generator/view.rb line 25:
    @define_authnz = opts.fetch(:define_authnz) :warning:
  2. /etc/ood/config/od_portal.yml around line 90:
# uncomment if you are using mod_authnz_external
define_authnz: 'DefineExternalAuth pwauth pipe /usr/bin/pwauth'

Then i tested it and it runs OK :smiley: :smiley:

Thanks again to all


1 Like

Thanks for the detailed instructions how to setup OOD auth using PAM. I was able to follow the instructions.

A tip to others before I ask for help on my issue - When copy/pasting config lines from @Jacob-BM into ood_portal.yml pay attention to the characters. Quotes around ‘SSLRequireSSL’ can get you into trouble.

Now coming to my problem, I followed all the steps, made suggested changes to my ood_portal.yml, ood-portal.conf.erb, view.rb and was able to restart httpd24-httpd without errors but when I try to access the portal I get this message:

" Forbidden
You don’t have permission to access /pun/sys/dashboard on this server."

When I remove the auth: section from odd_portal.yml, update_ood_portal, restart httpd24-httpd the portal goes back to old .htpasswd based authentication.

What did I miss ? I hope its still not some formatting issue! Any help or clues on how I can debug this ?

Thanks for your time,

Nevermind! This is due to the SSLRequireSSL.

Hi All, this suggests that the authentication module should go in a separate config file.

I still cannot figure out where to put the “Define…” line.
Any ideas?

Error message:
AH00526: Syntax error on line 110 of /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
line 110 of ood-portal.conf:
AuthUserFile “/opt/rh/httpd24/root/etc/httpd/.htpasswd”

Hi and welcome!

Yea things like OIDC configs generally go into a separate file but modules like LDAP generally don’t. OIDC configs have some secrets so it’s a way to change the permissons on that file to be a little more restrictive. Where the ood-portal.conf is world readable a file like oidc.conf is 600.

Where could you add a Define? Yea we don’t really allow for generic additions. You may be able to add it in the template as above (in /opt/ood/ood-portal-generator/templates/ood-portal.conf.erb). Be sure to back up the original and be sure to also save the modified version some where else. You’ll lose the modifications after an update and if you lose the backup you may corrupt your install.

Looks like in 1.7 you’ll be able to specify a different template (meaning you can safely use /opt/myowndir/updated-ood-portal.conf.erb). But you’re likely on 1.6.

As to your syntax error, be careful with copying and pasting! As you can see here, the quotes are different. What you want is the first line.

Hi Jeff,

I still cannot get PAM athentication working with Centos7.6
Is there any documentation that can help with this? I think I get lost between the threads above regarding Centos7 implementation…
We use PAM winbind against Centralized DNS servers for user authentication.