Self-hosted Landscape supports a few methods of authentication for its web interface.
If you want to use Pluggable Authentication Modules (PAM) to authenticate users in your new Landscape server you must create the file
/etc/pam.d/landscape with the appropriate PAM configuration.
The simplest possible file is:
#%PAM-1.0 auth required pam_permit.so account required pam_permit.so
Do NOT use this PAM setup on a production environment
This allows any user to login without validating the password.
We have tested PAM authentication against an LDAP server running on Ubuntu, and against Windows AD authentication.
If you use PAM to authenticate, the user details stored in Landscape are associated with the PAM identity supplied.
For more information on PAM authentication see PAM Tutorial.
Landscape can use OpenID-Connect (OIDC) to authenticate users. To enable OpenID-Connect support, please add
/etc/landscape/service.conf in the
[landscape] section. For example:
[landscape] […] oidc-issuer = https://accounts.google.com/ oidc-client-id = 000000000000-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.apps.googleusercontent.com oidc-client-secret = a4sDFAsdfA4F52as-asDfAsd
oidc-issuer is the URL of the issuer. That URL should also be a discovery configuration file available by appending
.well-known/openid-configuration, such as https://accounts.google.com/.well-known/openid-configuration. The
oidc-client-secret should be provided by the OpenID-Connect provider when you create the client credentials. The provider may require setting an authorization redirect URI. This should look like
https://your_landscape/login/handle-openid. If your provider also requires a logout redirect URL, this should be the address of your Landscape server such as
After making these changes, restart all Landscape services:
sudo lsctl restart
Optionally, a logout URL can be configured in case the provider does not expose one. It can be configured like so:
[landscape] … oidc-logout-url = https://accounts.google.com/logout