Bacula Pluggable Authentication Modules API Framework BPAM

Starting from Bacula Enterprise 12.6 new user authentication API framework is introduced which allows to configure a different authentication mechanisms (user credentials verification) using a dedicated Director plugins and Console resource configuration. This is called BPAM - Bacula Pluggable Authentication Modules.

The new framework support standard user/password and MFA authentication schemes which are fully driven by external plugins. On the client side bconsole when noticed will perform user interaction to collect required credentials. Bacula will still support all previous authentication schemas including CRAM-MD5 and TLS. You can even configure TLS Authentication together with new BPAM authentication raising required security level. BPAM authentication is available for named Console resources only.

The BPAM framework extend a standard Director Plugin API architecture with the following plugin entry points:

bRC getPluginAuthenticationData(bpContext *ctx, const char *param, void **data);
bRC getPluginAuthorizationData(bpContext *ctx, const char *param, void **data);

and plugin events mentioned above:

...
  bDirEventAuthenticationQuestion      = 1000,     // *value is a bDirAuthValue struct allocated by Dir
                                                   // to get return value from
  bDirEventAuthenticationResponse      = 1001,     // *value is a char* to user response
  bDirEventAuthenticate                = 1002,     // return bRC_OK when authenticate is successful
...

• BPAM Plugin Registration
• bacula-dir.conf - Console Resource Configuration

Possible Next Steps

Go back to Bacula FD Plugin API.

Go back to Developer Guide.