Thread: postgresql 7.4.6 and pam_ldap

postgresql 7.4.6 and pam_ldap

From
Thomas Leduc
Date:
Hi,
I know that i'm not the 1st one who want's to use pam_ldap to
authenticate users (55 posts with keywords ldap and pam...). But it
also didn't work for me. Please, what's wrong with the following:

% pg_config --configure
'--host=i386-redhat-linux' '--build=i386-redhat-linux'
[...]
'--with-openssl' '--with-pam' '--with-krb5=/usr' '--enable-nls'
[...]

% cat <<EOF > pg_hba.conf
local   all             postgres                        ident sameuser
local   all             all                             pam postgresql
host    all             all     127.0.0.1/32            pam postgresql
host    all             all     192.168.10.0/24         pam postgresql
EOF

% cat <<EOF > /etc/pam.d/postgresql--tage
auth       required     pam_stack.so service=system-auth
EOF

% pg_ctl reload
% createuser --adduser --createdb leduc
% createdb --owner=leduc --echo leduc

% id postgres
uid=26(postgres) gid=26(postgres) groupes=26(postgres)
$ psql --quiet leduc
leduc=# SELECT 1+1;
...            IT WORKS !!!

% id
uid=252(leduc) gid=100(users) groupes=100(users)
% psql
Mot de passe :
psql: FATAL:  PAM authentication échouée pour l'utilisateur "leduc"
...            IT DOESN'T WORK !!!
% tail -f /var/log/messages
Jan  5 17:41:17 tage postgresql(pam_unix)[12625]: auth could not identify password for [leduc]
Jan  5 17:41:21 tage postgresql(pam_unix)[12627]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=
user=leduc

% psql -U leduc -W
Mot de passe :
psql: FATAL:  PAM authentication échouée pour l'utilisateur "leduc"
...                     IT DOESN'T WORK !!!
% tail -f /var/log/messages
Jan  5 17:42:11 tage postgresql(pam_unix)[12635]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=
user=leduc

--
Thomas LEDUC

CNRS UMR 1563 - Laboratoire CERMA - Ecole d'Architecture de Nantes
Tel: +33 (0) 2 40 59 04 59 --  Fax : +33 (0) 2 40 59 11 77
EAN - Rue Massenet - BP 81931 - 44319 NANTES cedex 3
GPG KeyID: B2342343 Fingerprint: D62CF1A9D4BEDE671602504C46514CC8B2342343


Re: postgresql 7.4.6 and pam_ldap

From
Gémes Géza
Date:
Thomas Leduc írta:

>Hi,
>I know that i'm not the 1st one who want's to use pam_ldap to
>authenticate users (55 posts with keywords ldap and pam...). But it
>also didn't work for me. Please, what's wrong with the following:
>
>% pg_config --configure
>'--host=i386-redhat-linux' '--build=i386-redhat-linux'
>[...]
>'--with-openssl' '--with-pam' '--with-krb5=/usr' '--enable-nls'
>[...]
>
>% cat <<EOF > pg_hba.conf
>local   all             postgres                        ident sameuser
>local   all             all                             pam postgresql
>host    all             all     127.0.0.1/32            pam postgresql
>host    all             all     192.168.10.0/24         pam postgresql
>EOF
>
>% cat <<EOF > /etc/pam.d/postgresql--tage
>auth       required     pam_stack.so service=system-auth
>EOF
>
>% pg_ctl reload
>% createuser --adduser --createdb leduc
>% createdb --owner=leduc --echo leduc
>
>% id postgres
>uid=26(postgres) gid=26(postgres) groupes=26(postgres)
>$ psql --quiet leduc
>leduc=# SELECT 1+1;
>...            IT WORKS !!!
>
>% id
>uid=252(leduc) gid=100(users) groupes=100(users)
>% psql
>Mot de passe :
>psql: FATAL:  PAM authentication échouée pour l'utilisateur "leduc"
>...            IT DOESN'T WORK !!!
>% tail -f /var/log/messages
>Jan  5 17:41:17 tage postgresql(pam_unix)[12625]: auth could not identify password for [leduc]
>Jan  5 17:41:21 tage postgresql(pam_unix)[12627]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=
user=leduc
>
>% psql -U leduc -W
>Mot de passe :
>psql: FATAL:  PAM authentication échouée pour l'utilisateur "leduc"
>...                     IT DOESN'T WORK !!!
>% tail -f /var/log/messages
>Jan  5 17:42:11 tage postgresql(pam_unix)[12635]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=
user=leduc
>
>
>
I would suggest to retry it with a postgres user readable
/etc/pam.d/postgresql
an with a pg_hba.conf without postgres specified on the last field after
pam. Also if you want ldap authentication, take care, that in
/etc/pam.d/postgresql you don't reference any other non pam_ldap module,
and your /etc/ldap.conf is readable by postgres user.

Good Luck!

Geza

Re: postgresql 7.4.6 and pam_ldap

From
Thomas Leduc
Date:
Le  5 janvier 2005 à 22:20, Gémes Géza a écrit :
>
> I would suggest to retry it with a postgres user readable
> /etc/pam.d/postgresql
> an with a pg_hba.conf without postgres specified on the last field after
> pam. Also if you want ldap authentication, take care, that in
> /etc/pam.d/postgresql you don't reference any other non pam_ldap module,
> and your /etc/ldap.conf is readable by postgres user.

thank you for your help,
That's all i have done :

$ id
uid=26(postgres) gid=26(postgres) groupes=26(postgres)

$ cat /etc/pam.d/postgresql
auth            required        /lib/security//pam_ldap.so

$ cat pg_hba.conf
local   all             postgres                        ident sameuser
local   all             all                             pam
host    all             all     127.0.0.1/32            pam
host    all             all     192.168.10.0/24         pam

$ sed '/^#/d;/^$/d' /etc/ldap.conf
host 192.168.10.2
base ou=Users,dc=cerma,dc=archi,dc=fr
ssl no
pam_password md5

$ psql -U leduc leduc
Mot de passe :
psql: FATAL:  PAM authentication échouée pour l'utilisateur "leduc"
    => DID NOT WORK !!!

# tail -f /var/log/postgresql
Jan  6 10:14:06 tage postgres[21450]: [1-1] TRACE:  00000: pam_authenticate a échoué : Conversation error
Jan  6 10:14:06 tage postgres[21450]: [1-2] EMPLACEMENT :  CheckPAMAuth, auth.c:712
Jan  6 10:14:06 tage postgres[21450]: [2-1] FATAL:  28000: PAM authentication échouée pour l'utilisateur "leduc"
Jan  6 10:14:06 tage postgres[21450]: [2-2] EMPLACEMENT :  auth_failed, auth.c:395
Jan  6 10:14:06 tage postgres[21450]: [3-1] ERREUR:  08006: Impossible d'envoyer les données du client : Relais brisé
(pipe)
Jan  6 10:14:06 tage postgres[21450]: [3-2] EMPLACEMENT : internal_flush, pqcomm.c:1000
Jan  6 10:14:09 tage postgres[21451]: [1-1] TRACE:  00000: pam_acct_mgmt a échoué : User account has expired
Jan  6 10:14:09 tage postgres[21451]: [1-2] EMPLACEMENT :  CheckPAMAuth, auth.c:723
Jan  6 10:14:09 tage postgres[21451]: [2-1] FATAL:  28000: PAM authentication échouée pour l'utilisateur "leduc"
Jan  6 10:14:09 tage postgres[21451]: [2-2] EMPLACEMENT :  auth_failed, auth.c:395

    => "User account has expired" seems not to be true !

--
Thomas LEDUC

CNRS UMR 1563 - Laboratoire CERMA - Ecole d'Architecture de Nantes
Tel: +33 (0) 2 40 59 04 59 --  Fax : +33 (0) 2 40 59 11 77
EAN - Rue Massenet - BP 81931 - 44319 NANTES cedex 3
GPG KeyID: B2342343 Fingerprint: D62CF1A9D4BEDE671602504C46514CC8B2342343


Re: postgresql 7.4.6 and pam_ldap

From
Dick Davies
Date:
* Thomas Leduc <thomas.leduc@cerma.archi.fr> [0130 09:30]:
> Le  5 janvier 2005 ? 22:20, G?mes G?za a ?crit :
>
> $ cat /etc/pam.d/postgresql
> auth            required        /lib/security//pam_ldap.so

Stick a 'debug' after the .so there, see if anything else turns up.

> $ cat pg_hba.conf
> local   all             postgres                        ident sameuser
> local   all             all                             pam
> host    all             all     127.0.0.1/32            pam
> host    all             all     192.168.10.0/24         pam
>
> $ sed '/^#/d;/^$/d' /etc/ldap.conf
> host 192.168.10.2
> base ou=Users,dc=cerma,dc=archi,dc=fr
> ssl no
> pam_password md5

can you bind  as the user with these settings? I't's probably morth ensuring
you are looking for the right objectclass too, by explicityl setting in in
/etc/ldap.conf .

> # tail -f /var/log/postgresql
> Jan  6 10:14:06 tage postgres[21450]: [1-1] TRACE:  00000: pam_authenticate a ?chou? : Conversation error
> Jan  6 10:14:06 tage postgres[21450]: [1-2] EMPLACEMENT :  CheckPAMAuth, auth.c:712
> Jan  6 10:14:06 tage postgres[21450]: [2-1] FATAL:  28000: PAM authentication ?chou?e pour l'utilisateur "leduc"
> Jan  6 10:14:06 tage postgres[21450]: [2-2] EMPLACEMENT :  auth_failed, auth.c:395
> Jan  6 10:14:06 tage postgres[21450]: [3-1] ERREUR:  08006: Impossible d'envoyer les donn?es du client : Relais bris?
(pipe)
> Jan  6 10:14:06 tage postgres[21450]: [3-2] EMPLACEMENT : internal_flush, pqcomm.c:1000
> Jan  6 10:14:09 tage postgres[21451]: [1-1] TRACE:  00000: pam_acct_mgmt a ?chou? : User account has expired
> Jan  6 10:14:09 tage postgres[21451]: [1-2] EMPLACEMENT :  CheckPAMAuth, auth.c:723
> Jan  6 10:14:09 tage postgres[21451]: [2-1] FATAL:  28000: PAM authentication ?chou?e pour l'utilisateur "leduc"
> Jan  6 10:14:09 tage postgres[21451]: [2-2] EMPLACEMENT :  auth_failed, auth.c:395
>
>     => "User account has expired" seems not to be true !

--
'I should have been a plumber.' -- Albert Einstein
Rasputin :: Jack of All Trades - Master of Nuns