Обсуждение: postgresql 7.4.6 and pam_ldap
Hi, I know that i'm not the 1st one who want's to use pam_ldap to authenticate users (55 posts with keywords ldap and pam...). But it also didn't work for me. Please, what's wrong with the following: % pg_config --configure '--host=i386-redhat-linux' '--build=i386-redhat-linux' [...] '--with-openssl' '--with-pam' '--with-krb5=/usr' '--enable-nls' [...] % cat <<EOF > pg_hba.conf local all postgres ident sameuser local all all pam postgresql host all all 127.0.0.1/32 pam postgresql host all all 192.168.10.0/24 pam postgresql EOF % cat <<EOF > /etc/pam.d/postgresql--tage auth required pam_stack.so service=system-auth EOF % pg_ctl reload % createuser --adduser --createdb leduc % createdb --owner=leduc --echo leduc % id postgres uid=26(postgres) gid=26(postgres) groupes=26(postgres) $ psql --quiet leduc leduc=# SELECT 1+1; ... IT WORKS !!! % id uid=252(leduc) gid=100(users) groupes=100(users) % psql Mot de passe : psql: FATAL: PAM authentication échouée pour l'utilisateur "leduc" ... IT DOESN'T WORK !!! % tail -f /var/log/messages Jan 5 17:41:17 tage postgresql(pam_unix)[12625]: auth could not identify password for [leduc] Jan 5 17:41:21 tage postgresql(pam_unix)[12627]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=leduc % psql -U leduc -W Mot de passe : psql: FATAL: PAM authentication échouée pour l'utilisateur "leduc" ... IT DOESN'T WORK !!! % tail -f /var/log/messages Jan 5 17:42:11 tage postgresql(pam_unix)[12635]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=leduc -- Thomas LEDUC CNRS UMR 1563 - Laboratoire CERMA - Ecole d'Architecture de Nantes Tel: +33 (0) 2 40 59 04 59 -- Fax : +33 (0) 2 40 59 11 77 EAN - Rue Massenet - BP 81931 - 44319 NANTES cedex 3 GPG KeyID: B2342343 Fingerprint: D62CF1A9D4BEDE671602504C46514CC8B2342343
Thomas Leduc írta: >Hi, >I know that i'm not the 1st one who want's to use pam_ldap to >authenticate users (55 posts with keywords ldap and pam...). But it >also didn't work for me. Please, what's wrong with the following: > >% pg_config --configure >'--host=i386-redhat-linux' '--build=i386-redhat-linux' >[...] >'--with-openssl' '--with-pam' '--with-krb5=/usr' '--enable-nls' >[...] > >% cat <<EOF > pg_hba.conf >local all postgres ident sameuser >local all all pam postgresql >host all all 127.0.0.1/32 pam postgresql >host all all 192.168.10.0/24 pam postgresql >EOF > >% cat <<EOF > /etc/pam.d/postgresql--tage >auth required pam_stack.so service=system-auth >EOF > >% pg_ctl reload >% createuser --adduser --createdb leduc >% createdb --owner=leduc --echo leduc > >% id postgres >uid=26(postgres) gid=26(postgres) groupes=26(postgres) >$ psql --quiet leduc >leduc=# SELECT 1+1; >... IT WORKS !!! > >% id >uid=252(leduc) gid=100(users) groupes=100(users) >% psql >Mot de passe : >psql: FATAL: PAM authentication échouée pour l'utilisateur "leduc" >... IT DOESN'T WORK !!! >% tail -f /var/log/messages >Jan 5 17:41:17 tage postgresql(pam_unix)[12625]: auth could not identify password for [leduc] >Jan 5 17:41:21 tage postgresql(pam_unix)[12627]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=leduc > >% psql -U leduc -W >Mot de passe : >psql: FATAL: PAM authentication échouée pour l'utilisateur "leduc" >... IT DOESN'T WORK !!! >% tail -f /var/log/messages >Jan 5 17:42:11 tage postgresql(pam_unix)[12635]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=leduc > > > I would suggest to retry it with a postgres user readable /etc/pam.d/postgresql an with a pg_hba.conf without postgres specified on the last field after pam. Also if you want ldap authentication, take care, that in /etc/pam.d/postgresql you don't reference any other non pam_ldap module, and your /etc/ldap.conf is readable by postgres user. Good Luck! Geza
Le 5 janvier 2005 à 22:20, Gémes Géza a écrit :
>
> I would suggest to retry it with a postgres user readable
> /etc/pam.d/postgresql
> an with a pg_hba.conf without postgres specified on the last field after
> pam. Also if you want ldap authentication, take care, that in
> /etc/pam.d/postgresql you don't reference any other non pam_ldap module,
> and your /etc/ldap.conf is readable by postgres user.
thank you for your help,
That's all i have done :
$ id
uid=26(postgres) gid=26(postgres) groupes=26(postgres)
$ cat /etc/pam.d/postgresql
auth required /lib/security//pam_ldap.so
$ cat pg_hba.conf
local all postgres ident sameuser
local all all pam
host all all 127.0.0.1/32 pam
host all all 192.168.10.0/24 pam
$ sed '/^#/d;/^$/d' /etc/ldap.conf
host 192.168.10.2
base ou=Users,dc=cerma,dc=archi,dc=fr
ssl no
pam_password md5
$ psql -U leduc leduc
Mot de passe :
psql: FATAL: PAM authentication échouée pour l'utilisateur "leduc"
=> DID NOT WORK !!!
# tail -f /var/log/postgresql
Jan 6 10:14:06 tage postgres[21450]: [1-1] TRACE: 00000: pam_authenticate a échoué : Conversation error
Jan 6 10:14:06 tage postgres[21450]: [1-2] EMPLACEMENT : CheckPAMAuth, auth.c:712
Jan 6 10:14:06 tage postgres[21450]: [2-1] FATAL: 28000: PAM authentication échouée pour l'utilisateur "leduc"
Jan 6 10:14:06 tage postgres[21450]: [2-2] EMPLACEMENT : auth_failed, auth.c:395
Jan 6 10:14:06 tage postgres[21450]: [3-1] ERREUR: 08006: Impossible d'envoyer les données du client : Relais brisé
(pipe)
Jan 6 10:14:06 tage postgres[21450]: [3-2] EMPLACEMENT : internal_flush, pqcomm.c:1000
Jan 6 10:14:09 tage postgres[21451]: [1-1] TRACE: 00000: pam_acct_mgmt a échoué : User account has expired
Jan 6 10:14:09 tage postgres[21451]: [1-2] EMPLACEMENT : CheckPAMAuth, auth.c:723
Jan 6 10:14:09 tage postgres[21451]: [2-1] FATAL: 28000: PAM authentication échouée pour l'utilisateur "leduc"
Jan 6 10:14:09 tage postgres[21451]: [2-2] EMPLACEMENT : auth_failed, auth.c:395
=> "User account has expired" seems not to be true !
--
Thomas LEDUC
CNRS UMR 1563 - Laboratoire CERMA - Ecole d'Architecture de Nantes
Tel: +33 (0) 2 40 59 04 59 -- Fax : +33 (0) 2 40 59 11 77
EAN - Rue Massenet - BP 81931 - 44319 NANTES cedex 3
GPG KeyID: B2342343 Fingerprint: D62CF1A9D4BEDE671602504C46514CC8B2342343
* Thomas Leduc <thomas.leduc@cerma.archi.fr> [0130 09:30]: > Le 5 janvier 2005 ? 22:20, G?mes G?za a ?crit : > > $ cat /etc/pam.d/postgresql > auth required /lib/security//pam_ldap.so Stick a 'debug' after the .so there, see if anything else turns up. > $ cat pg_hba.conf > local all postgres ident sameuser > local all all pam > host all all 127.0.0.1/32 pam > host all all 192.168.10.0/24 pam > > $ sed '/^#/d;/^$/d' /etc/ldap.conf > host 192.168.10.2 > base ou=Users,dc=cerma,dc=archi,dc=fr > ssl no > pam_password md5 can you bind as the user with these settings? I't's probably morth ensuring you are looking for the right objectclass too, by explicityl setting in in /etc/ldap.conf . > # tail -f /var/log/postgresql > Jan 6 10:14:06 tage postgres[21450]: [1-1] TRACE: 00000: pam_authenticate a ?chou? : Conversation error > Jan 6 10:14:06 tage postgres[21450]: [1-2] EMPLACEMENT : CheckPAMAuth, auth.c:712 > Jan 6 10:14:06 tage postgres[21450]: [2-1] FATAL: 28000: PAM authentication ?chou?e pour l'utilisateur "leduc" > Jan 6 10:14:06 tage postgres[21450]: [2-2] EMPLACEMENT : auth_failed, auth.c:395 > Jan 6 10:14:06 tage postgres[21450]: [3-1] ERREUR: 08006: Impossible d'envoyer les donn?es du client : Relais bris? (pipe) > Jan 6 10:14:06 tage postgres[21450]: [3-2] EMPLACEMENT : internal_flush, pqcomm.c:1000 > Jan 6 10:14:09 tage postgres[21451]: [1-1] TRACE: 00000: pam_acct_mgmt a ?chou? : User account has expired > Jan 6 10:14:09 tage postgres[21451]: [1-2] EMPLACEMENT : CheckPAMAuth, auth.c:723 > Jan 6 10:14:09 tage postgres[21451]: [2-1] FATAL: 28000: PAM authentication ?chou?e pour l'utilisateur "leduc" > Jan 6 10:14:09 tage postgres[21451]: [2-2] EMPLACEMENT : auth_failed, auth.c:395 > > => "User account has expired" seems not to be true ! -- 'I should have been a plumber.' -- Albert Einstein Rasputin :: Jack of All Trades - Master of Nuns