Thread: PAM ldap

PAM ldap

From
"Kavan, Dan (IMS)"
Date:
Hi,  I'm running postgresql 8.0.rc5 on SUSE.
I have the pg_hba.conf file configured with
local    all    smith    ident sameuser
host    all    smith    ident sameuser

The way authentication works with that is that configuration is that if
I'm logged in as smith with my company ldap server I can get in, but if
I'm not directly logged in as smith, I can't get in.  Having the word
pam in this file at all causes an error.  I'd like to use pam so
postgres could do it's own ldap/pam lookups, but I keep getting an error
that it doesn't know what pam is.  I see in the logs that the pam server
starts, but I still get an error.   With pam listed I get the red X.  An
error has occured.  Error connecting to the server: FATAL:  missing or
erroneous pg_hba.conf  HINT: See server log for details.  See server log
details below.  What's wrong with syntax of my pg_hba.conf file?  I've
tried pam in all caps, adding postgresql after pam and adding
pg_hba.conf after pam in pg_hba.conf, none of which helps.  Thanks for
any tips. It's harder to play once these systems hit production.

serverlog
LOG:  database system was shut down at 2005-01-14 13:34:47 EST
LOG:  checkpoint record is at 0/AEA370
LOG:  redo record is at 0/AEA370; undo record is at 0/0; shutdown TRUE
LOG:  next transaction ID: 628; next OID: 17232
LOG:  database system is ready
LOG:  invalid entry in file
"/sqldata/Linux.pgsql/tarpon5432/pg_hba.conf" at line 66, token "pam"
FATAL:  missing or erroneous pg_hba.conf file
HINT:  See server log for details.

/var/log/messages
Jan 14 13:37:23 tarpon su: (to root) postgres on /dev/pts/0
Jan 14 13:37:23 tarpon su: pam_unix2: session started for user root,
service su

/etc/pam.d/postgresql
auth    required        pam_unix2.so    nullok
account required        pam_unix2.so
    D.J. Kavan



Re: PAM ldap

From
Dick Davies
Date:
* Kavan, Dan (IMS) <KavanD@imsweb.com> [0149 18:49]:
>
> Hi,  I'm running postgresql 8.0.rc5 on SUSE.
> I have the pg_hba.conf file configured with
> local    all    smith    ident sameuser
> host    all    smith    ident sameuser
>
> The way authentication works with that is that configuration is that if
> I'm logged in as smith with my company ldap server I can get in, but if
> I'm not directly logged in as smith, I can't get in.  Having the word
> pam in this file at all causes an error.  I'd like to use pam so
> postgres could do it's own ldap/pam lookups, but I keep getting an error
> that it doesn't know what pam is.  I see in the logs that the pam server
> starts, but I still get an error.

You didn't show the broken config, but assuming it's something like

# TYPE     DATABASE    USER        IP-ADDRESS      IP-MASK           METHOD
hostssl    all         all         127.0.0.1       255.255.255.255   pam

then perhaps you don't have pam support built into postgres?


> /etc/pam.d/postgresql
> auth    required        pam_unix2.so    nullok
> account required        pam_unix2.so

This is going to do unix auth, obviously, so you'll need to s/unix/ldap/ on that...

--
'You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat.'
        -- Bender
Rasputin :: Jack of All Trades - Master of Nuns

Re: PAM ldap

From
"Kavan, Dan (IMS)"
Date:
Thanks for the reply,

I did compile --with-pam.   Although, the $PATH for the postgres user -
who I used to compile with didn't have /lib and /lib64 in it's path.  I
don't see anything is configure.in or config.log to hint that pam isn't
configured, but I'll re-configure anyway.  Is there a way to check PAM
is configured with postgresql?  pam_unix2.so is located in
/lib(64)/security.  I was wondering if both /lib and /lib/security
needed to be in the $PATH or if just /lib/security was needed.

Also, forget about PAM for a minute.  Why does ident work locally, but
the host entry not work as easily?    ident sameuser in host doesn't
work for me.  When I think about it though it makes sense.   I'm coming
in on pgadmin iii from a windows machine and a user logged into a
windows domain.  So, no wonder, it doesn't map right.  It doesn't have
any smith user logged in at the time.   I've tried other combinations
like a map name, user ident, pg user, but it doesn't work.  ie TEST
smith smith. And then TEST smith smith in the pg_ident.conf file.  I
really don't think postgresql is talking to our LDAP server.  The only
thing it can do is local (using the unix ldap setup).

Thanks for all your insight,
~DjK


-----Original Message-----
From: pgsql-admin-owner@postgresql.org
[mailto:pgsql-admin-owner@postgresql.org] On Behalf Of Dick Davies
Sent: Sunday, January 16, 2005 4:11 AM
To: PostgreSQL Admin
Subject: Re: [ADMIN] PAM ldap


* Kavan, Dan (IMS) <KavanD@imsweb.com> [0149 18:49]:
>
> Hi,  I'm running postgresql 8.0.rc5 on SUSE.
> I have the pg_hba.conf file configured with
> local    all    smith    ident sameuser
> host    all    smith    ident sameuser
>
> The way authentication works with that is that configuration is that
> if I'm logged in as smith with my company ldap server I can get in,
> but if I'm not directly logged in as smith, I can't get in.  Having
> the word pam in this file at all causes an error.  I'd like to use pam

> so postgres could do it's own ldap/pam lookups, but I keep getting an
> error that it doesn't know what pam is.  I see in the logs that the
pam server
> starts, but I still get an error.

You didn't show the broken config, but assuming it's something like

# TYPE     DATABASE    USER        IP-ADDRESS      IP-MASK
METHOD
hostssl    all         all         127.0.0.1       255.255.255.255   pam

then perhaps you don't have pam support built into postgres?


> /etc/pam.d/postgresql
> auth    required        pam_unix2.so    nullok
> account required        pam_unix2.so

This is going to do unix auth, obviously, so you'll need to s/unix/ldap/
on that...

--
'You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat.'
        -- Bender
Rasputin :: Jack of All Trades - Master of Nuns

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: PAM ldap

From
Bruno Wolff III
Date:
On Tue, Jan 18, 2005 at 11:56:25 -0500,
  "Kavan, Dan (IMS)" <KavanD@imsweb.com> wrote:
>
> Also, forget about PAM for a minute.  Why does ident work locally, but
> the host entry not work as easily?    ident sameuser in host doesn't

Are you running an ident server? One needs to be running on the machine
the client is connecting from.

Re: PAM ldap

From
Dick Davies
Date:
* Kavan, Dan (IMS) <KavanD@imsweb.com> [0156 16:56]:
> Thanks for the reply,
>
> I did compile --with-pam.   Although, the $PATH for the postgres user -
> who I used to compile with didn't have /lib and /lib64 in it's path.  I
> don't see anything is configure.in or config.log to hint that pam isn't
> configured, but I'll re-configure anyway.  Is there a way to check PAM
> is configured with postgresql?  pam_unix2.so is located in
> /lib(64)/security.  I was wondering if both /lib and /lib/security
> needed to be in the $PATH or if just /lib/security was needed.

PATH isn't used for shared libs (/lib will be getting searched, or the
machine probably wouldn't boot). There's a separate search path set for
the dynamic linker to load shared libraries, but it's platform specific.

(On a leenux you need to add the directory
to /etc/ld.so.conf - or you did last time i used it (circa redhat 5.2 ))

Or you could try setting LD_LIBRARY_PATH=/lib/security (that's a horrible
hack, but it should work).


If I was you I'd just add a --with-pam to your ./configure command line,
and check config.log after that completes.

To check this is your problem, try ldd - it
tells you what shared libs a binary is linked against (and uses the
search path I mentioned earlier).


Mine shows (freebsd 5.3):

rasputnik@eris:rasputnik$ ldd `which postmaster`
/usr/local/bin/postmaster:
        libintl.so.6 => /usr/local/lib/libintl.so.6 (0x28264000)
        libpam.so.2 => /usr/lib/libpam.so.2 (0x2826d000)
        libssl.so.3 => /usr/lib/libssl.so.3 (0x28274000)
        libcrypto.so.3 => /lib/libcrypto.so.3 (0x282a2000)
        libz.so.2 => /lib/libz.so.2 (0x28397000)
        libreadline.so.5 => /lib/libreadline.so.5 (0x283a7000)
        libcrypt.so.2 => /lib/libcrypt.so.2 (0x283d3000)
        libm.so.3 => /lib/libm.so.3 (0x283eb000)
        libutil.so.4 => /lib/libutil.so.4 (0x28405000)
        libc.so.5 => /lib/libc.so.5 (0x28411000)
        libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x284eb000)
        libncurses.so.5 => /lib/libncurses.so.5 (0x285d9000)



> Also, forget about PAM for a minute.

Bye then (I know jack about ident)!

--
'My life, and by extension everyone else's, is meaningless.'
        -- Bender
Rasputin :: Jack of All Trades - Master of Nuns