Thread: anyone knows about pam_pgsql ?
trying for days now to get documentation about this tool that would allow me to authenticate users for different services via a postgres-database on my linuxsystem. I obtained two versions: 0.03 which I cant even compile and 0.9.3 which I can compile but there is not a single byte docs coming with it, so I tried based on two postings from googles and failed ... #%PAM-1.0 auth sufficient /usr/local/lib/pam_pgsql.so user=peter passwd=xxxx host=limpio.local db=auth table=users usercolumn=usernamepasswdcolumn=userpass crypt=1 where=status=1 the failmessage was (definitely OT here ...) Nov 20 12:59:54 lupo imapd[14134]: accepted connection Nov 20 12:59:58 lupo imapd[14134]: PAM unable to dlopen(/usr/local/lib/pam_pgsql.so) Nov 20 12:59:58 lupo imapd[14134]: PAM [dlerror: /usr/local/lib/pam_pgsql.so: undefined symbol: sqlca] Nov 20 12:59:58 lupo imapd[14134]: PAM adding faulty module: /usr/local/lib/pam_pgsql.so Nov 20 13:00:01 lupo master[26807]: process 14134 exited, status 0 thnx, peter -- mag. peter pilsl phone: +43 676 3574035 fax : +43 676 3546512 email: pilsl@goldfisch.at sms : pilsl@max.mail.at pgp-key available
Hello Peter, there is another pam-module, which might work. You can find it in http://sourceforge.net/projects/sysauth-pgsql. I'm not sure how good this work. I tried nss-pgsql version 0.9.0 from the same author and run into massive problems. Maybe version 1.0.0 is better. I didn't try it. My solution was to create my own version of nss-pgsql. If you need it, you can find it on my homepage http://www.maekitalo.de. Tommi Peter Pilsl wrote: >trying for days now to get documentation about this tool that would >allow me to authenticate users for different services via a >postgres-database on my linuxsystem. > >I obtained two versions: 0.03 which I cant even compile and 0.9.3 >which I can compile but there is not a single byte docs coming with >it, so I tried based on two postings from googles and failed ... > >#%PAM-1.0 > >auth sufficient /usr/local/lib/pam_pgsql.so user=peter passwd=xxxx host=limpio.local db=auth table=users usercolumn=usernamepasswdcolumn=userpass crypt=1 where=status=1 > > >the failmessage was (definitely OT here ...) >Nov 20 12:59:54 lupo imapd[14134]: accepted connection >Nov 20 12:59:58 lupo imapd[14134]: PAM unable to dlopen(/usr/local/lib/pam_pgsql.so) >Nov 20 12:59:58 lupo imapd[14134]: PAM [dlerror: /usr/local/lib/pam_pgsql.so: undefined symbol: sqlca] >Nov 20 12:59:58 lupo imapd[14134]: PAM adding faulty module: /usr/local/lib/pam_pgsql.so >Nov 20 13:00:01 lupo master[26807]: process 14134 exited, status 0 > >thnx, >peter >
thnx a lot for your reply. I would like to give the nss a try, but I dont have the slightest idea how to use it (in case I managed to compile). I just know how to use pam by adding a appropriate login-file to /etc/pam.d/ that contains things like: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so how would look this enty in case I'm using one of the nss-pgsql-tools ? sorry, but I'm really 100% newbie on nss. thnx, peter On Tue, Nov 20, 2001 at 04:00:41PM +0100, Tommi Mäkitalo wrote: > Hello Peter, > > there is another pam-module, which might work. You can find it in > http://sourceforge.net/projects/sysauth-pgsql. I'm not sure how good > this work. I tried nss-pgsql version 0.9.0 from the same author and run > into massive problems. Maybe version 1.0.0 is better. I didn't try it. > My solution was to create my own version of nss-pgsql. If you need it, > you can find it on my homepage http://www.maekitalo.de. > > Tommi > > > > Peter Pilsl wrote: > > >trying for days now to get documentation about this tool that would > >allow me to authenticate users for different services via a > >postgres-database on my linuxsystem. > > > >I obtained two versions: 0.03 which I cant even compile and 0.9.3 > >which I can compile but there is not a single byte docs coming with > >it, so I tried based on two postings from googles and failed ... > > > >#%PAM-1.0 > > > >auth sufficient /usr/local/lib/pam_pgsql.so user=peter passwd=xxxx host=limpio.local db=auth table=users usercolumn=usernamepasswdcolumn=userpass crypt=1 where=status=1 > > > > > >the failmessage was (definitely OT here ...) > >Nov 20 12:59:54 lupo imapd[14134]: accepted connection > >Nov 20 12:59:58 lupo imapd[14134]: PAM unable to dlopen(/usr/local/lib/pam_pgsql.so) > >Nov 20 12:59:58 lupo imapd[14134]: PAM [dlerror: /usr/local/lib/pam_pgsql.so: undefined symbol: sqlca] > >Nov 20 12:59:58 lupo imapd[14134]: PAM adding faulty module: /usr/local/lib/pam_pgsql.so > >Nov 20 13:00:01 lupo master[26807]: process 14134 exited, status 0 > > > >thnx, > >peter > > > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > -- mag. peter pilsl phone: +43 676 3574035 fax : +43 676 3546512 email: pilsl@goldfisch.at sms : pilsl@max.mail.at pgp-key available
Hello Peter, nss and pam are different things. Pam is almost unusable without a suitable nss-module. Nss make a user to exist in your system. Pam checkes (among other things), if he is allowed to use a service. If you use pam_pgsql without libnss-pgsql you have to add every user to your /etc/passwd. But you don't need to give them passwords. That's what pam does. I checked my version of libnss-pgsql. I get a compile-error in backend.c. The include-path of postgresql is errorenous. I checked that and updated to 0.9.0tm3. The version libnss-pgsql-1.00 has the same bug. There instructions to install the module is almost not there. You should do this: - download - tar xvzf libnss-pgsql-0.9.0tm3.tar.gz - cd libnss-pgsql-0.9.0tm3 - ./configure - make - make install (as root) - set up your database (you can find a example schema in crebas.sql) - edit nss-pgsql.conf and copy to /etc/nss-pgsql.conf - edit /etc/nsswitch.conf to use pgsql (change 'passwd: compat' to 'passwd: files pgsql' and 'group: compat' to 'group: files pgsql' It should work now. You can try it out with 'chown pguser ttt'. The file ttt need not exist. 'chown' should complain about it. If you libnss does not work it complains about not existing user 'pguser'. Tommi Peter Pilsl wrote: >thnx a lot for your reply. I would like to give the nss a try, but I >dont have the slightest idea how to use it (in case I managed to >compile). > >I just know how to use pam by adding a appropriate login-file to /etc/pam.d/ that contains things like: >auth required /lib/security/pam_securetty.so >auth required /lib/security/pam_stack.so service=system-auth >auth required /lib/security/pam_nologin.so >account required /lib/security/pam_stack.so service=system-auth >password required /lib/security/pam_stack.so service=system-auth >session required /lib/security/pam_stack.so service=system-auth >session optional /lib/security/pam_console.so > >how would look this enty in case I'm using one of the nss-pgsql-tools ? > >sorry, but I'm really 100% newbie on nss. > >thnx, >peter > >> ...
For everyone who is using postgres for NSS, please email me and let me know what package you are using and where you got it. I would like to update my HOW-TO at http://blue-labs.org/clue/NSS-pgsql.php. Thank you, David Tommi Mäkitalo wrote: > > ------------------------------------------------------------------------ > > Subject: > > Re: [GENERAL] anyone knows about pam_pgsql ? > From: > > Tommi Mäkitalo <t.maekitalo@epgmbh.de> > Date: > > Mon, 26 Nov 2001 11:04:21 +0100 > To: > > Peter Pilsl <pilsl@goldfisch.at> > > To: > > Peter Pilsl <pilsl@goldfisch.at> > CC: > > postgres mailinglist <pgsql-general@postgresql.org> > > > Hello Peter, > > nss and pam are different things. Pam is almost unusable without a > suitable nss-module. Nss make a user to exist in your system. Pam > checkes (among other things), if he is allowed to use a service. If > you use pam_pgsql without libnss-pgsql you have to add every user to > your /etc/passwd. But you don't need to give them passwords. That's > what pam does. > > I checked my version of libnss-pgsql. I get a compile-error in > backend.c. The include-path of postgresql is errorenous. I checked > that and updated to 0.9.0tm3. The version libnss-pgsql-1.00 has the > same bug. > > There instructions to install the module is almost not there. You > should do this: > - download > - tar xvzf libnss-pgsql-0.9.0tm3.tar.gz > - cd libnss-pgsql-0.9.0tm3 > - ./configure > - make > - make install (as root) > - set up your database (you can find a example schema in crebas.sql) > - edit nss-pgsql.conf and copy to /etc/nss-pgsql.conf > - edit /etc/nsswitch.conf to use pgsql (change 'passwd: compat' to > 'passwd: files pgsql' and 'group: compat' to 'group: files pgsql' > > It should work now. You can try it out with 'chown pguser ttt'. The > file ttt need not exist. 'chown' should complain about it. If you > libnss does not work it complains about not existing user 'pguser'. > > > Tommi > > > Peter Pilsl wrote: > >> thnx a lot for your reply. I would like to give the nss a try, but I >> dont have the slightest idea how to use it (in case I managed to >> compile). >> >> I just know how to use pam by adding a appropriate login-file to >> /etc/pam.d/ that contains things like: >> auth required /lib/security/pam_securetty.so >> auth required /lib/security/pam_stack.so service=system-auth >> auth required /lib/security/pam_nologin.so >> account required /lib/security/pam_stack.so service=system-auth >> password required /lib/security/pam_stack.so service=system-auth >> session required /lib/security/pam_stack.so service=system-auth >> session optional /lib/security/pam_console.so >> >> how would look this enty in case I'm using one of the nss-pgsql-tools ? >> >> sorry, but I'm really 100% newbie on nss. >> thnx, >> peter >> >>> > ... > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly
Here is the corresponding entry from my internal knowledge-base: it includes many information that was valueable for me and also information about different versions I tried and where I downloaded them ... It also includes much thanx to Tommi - I never would have made it without it (if you include parts of my info, please include this thanks) I didnt even know about your howto - if your update it, pleae be sure to mail me and maybe Tommi and the other project can set a link to your page. best, peter ---------- Finally I made userauthentication via a postgresdatabase working. I could not get a pam-module working, but a libnss-module. While I dont know much about this, imho libnss is still a level deeper than pam. So a application can auth via pam and pam is then using nss. A typical pam-entry would look like: account required /lib/security/pam_unix.so and this pam_unix will then use configs defined in nsswitch.conf (see below) at the moment I got it working with samba and cyrus imapd (details see below or seperate entries) but now to work: This all is happening under Mandrake 8.x. The final installation occured on a brand new Mandrake8.1-installation, but I had the same problems with several Mandrake8.0-Machines. I) download the libnss-pgsql-source. There are different version out there: Tommi Mkitalo, who helped me very much with this stuff has versions under http://www.maekitalo.de, that were segfaulting here (maybe due a wrong configured postgres-server). His version seems to be based on version 0.9 of the official sourceforge-sysauth-pgsql-project that can be found under http://sourceforge.net/projects/sysauth-pgsql There I downloaded version libnss-pgsql-1.0.0. All the following applies to this version, but when trying to compile I encountered the same problems on both version. The 1.0.0 has a bit more features. It gives errors when the database is misconfigured and the groups-command is working .. but basically they seem to do exactely the same. II) prerequisites: I dont know which of the following steps are really necessary to compile the libnss_pgsql-module, cause first I tried pam_pgsql and few of these steps were needed to compile pam_pgsql .. I had a full working postgres-installation installed (compiled manually, so it contains all the headers and so on). Unfortunately I had some problems with the libs. Even when I added the postgres-lib-path to /etc/ld.so.config by adding a line '/usr/local/pgsql/lib' and running ldconfig the libs were not linked proper. So I copied the libs from /usr/local/pgsql/lib to /usr/local/lib and it worked. Also there were problems of missing header-files when compiling libss_pgsql. To avoid this, I copied all postgres-headers to the libnss-src (not overwrite config.h !!) and additionally edit the file src/backend.c and changed the line #include <postgresql/libpq-fe.h> to #include <libpq-fe.h> My pam was installed per rpm on install and I had to install the package pam-devel.rpm to get the needed pam-headerfiles. * get, compile, install full postgres 7.1.3 * cp -d /usr/local/pgsql/lib/* /usr/local/lib/* * cp /usr/local/pgsql/include/*.h /usr/src/libnss_pgsql-1.0.0/src/ # !! dont overwrite config.h !!! * vi src/backend.c # change the #include <postgresql/libpq-fe.h> -line * install pam-devel.rpm III) compile ./configure --with-gnu-ld I didnt specify the target-directories in this step, so I had to deal with wrong dirs later .. Maybe using the --prefix=/ option would have been a fine idea .. make Nothing bad should happen here anymore, but you should see the -lpq switch on the commandlines running by. Now you can test, if the file was compiled proper: # ld src/.libs/libnss_pgsql.so ld: warning: cannot find entry symbol _start; not setting start address There should be no more warning/error than this (not PQxxx missing or whatever) make install IV) postrequisites Guess you wont need that if you use the correct prefix-option above. * cp -d /usr/local/lib/libnss_pgsql* /lib/ * touch /etc/nss-pgsql.conf; ln -s /etc/nss-pgsql.conf /usr/local/etc/nss-pgsql.conf V) config I followed the instructions in the conf/-subfolder. There is a very nice demo-database that I modified a bit (removed the subnet and modem-entry and added my own addons). There are three tables: * groups will hold the groups * accounts will hold der user * usergroups will relate the two other tables. You can add user-group-relations here. Just add the UID/GID - combinationhere for each group ----------- -- mag. peter pilsl phone: +43 676 3574035 fax : +43 676 3546512 email: pilsl@goldfisch.at sms : pilsl@max.mail.at pgp-key available