1. Make the PAM module by typing "make".  You can safely ignore the
warnings at the end of the make process.

2. Copy service the PAM module to /usr/lib/security/ and make sure
module is owned by root.

3. To enable the radius server to use PAM, you must turn it on in the
mapping file.  The challenge_response_timeout is how long the radius server
will wait for the NAS to return the response to the challenge.  Add
lines to radius.mapping file:

Common:
...
	# This is the length of time a client may wait 
	# for a reply from the radius daemon.
	Max_wait_b4_reject=58

	Pam_Authentication=on
	Challenge_Response_Timeout=60

Table:USERS
...
  Export:
...
      PAM-Service-Name		=$pamServiceName
      Ascend-Third-Prompt	=$ascendThirdPrompt
...
  Import:
...
      pamServiceName		=$PAM-Service-Name
      ascendThirdPrompt		=$Ascend-Third-Prompt

4. Add these lines to dictionary file:

ATTRIBUTE	PAM-Service-Name	2205	string
ATTRIBUTE	User-Reply		2206	string
ATTRIBUTE	User-Check		2207	string

5. Append pamServiceName to the remoteUser object class in
dsserv.oc.conf (don't forget to add a "," to line you add this line
after):

objectclass remoteUser
...
		pamServiceName

6. Add this line to dsserv.at.conf:

attribute pamServiceName		1.3.6.1.4.1.42.2.27.1.1.76	ces single

7. Add these lines to /etc/pam.conf:

# Radius
radius	auth required	/usr/lib/security/pam_sample.so.1
radius	account required	/usr/lib/security/pam_sample.so.1
radius	session required	/usr/lib/security/pam_sample.so.1
radius	password required	/usr/lib/security/pam_sample.so.1

Note that you can append "user_first_pass" to the above lines to make
the sample module use the password in PAM_AUTHTOK rather than calling
the conv function to do a challenge/response.  See the source code in
sample_authenticate.c for other options in the sample module.

8. If you are using Solaris 2.6, install the PAM patch: 106257.
No patch needed if running Solaris 2.7 or later.

9. To have a user authenticate using PAM, add the following to the
user's entry:

pamServiceName:radius
grpCheckInfo:pamServiceName

If you remove grpCheckInfo:userPassword, then only the PAM module will 
be called to check the password.


