I am developing a Linux application that will be using PAM for its
authentication chores, and I am having difficulties understanding how the SASL
daemon fits into the picture. In essence, what I want to do is for users of the
application to authenticate themselves by means of a RADIUS server, with the
authentication chores falling back on to SASL if the RADIUS server is
unreachable.
In my system (which I will refer to henceforth as MySystem) I have created a
user named user1 in SASL by means of the saslpasswd2 command, assigning
password user1password to it. This user is also present locally in MySystem
(i.e. there are entries for it in /etc/{passwd,group,shadow} but its local
password is localuser1password.
At the same time, I have a file named MyApp in /etc/pam.d with the following
contents:
#%PAM-1.0
auth sufficient /lib64/security/pam_radius_auth.so
localifdown
auth required pam_unix.so
account required pam_unix.so
I launch the SASL daemon with -a pam.
I then use the testsaslauthd tool as root as follows:
# testsaslauthd -u user1 -p user1password -s MyApp
On executing this command, the authentication is delegated to the RADIUS server
(or servers) first. If they are reachable and user1 is defined with password
user1password then the authentication will succeed, and nothing else will be
done. If the RADIUS servers are reachable, but user1 is not defined, or it is,
but with a password other than user1password, the authentication will fail, and
nothing else will be done. This is all exactly as I want, and was expecting.
When the RADIUS servers are not reachable then the pam_unix.so lines in
/etc/pam.d/MyApp kick in. And testsaslauthd returns the following diagnostic:
0: NO "authentication failed"
At the same time, the following diagnostic is entered in my syslog:
Jul 27 11:23:19 MySystem saslauthd[21935]: : auth failure:
[user=user1] [service=MyApp] [realm=] [mech=pam] [reason=PAM auth error]
I know for a fact that the password I entered is the correct one. When I invoke
testsaslauthd as above, but with -p localuser1password, I get exactly the same
result - which, in this case, is what I expected.
What I am doing wrong? Why is the SASL authentication failing?
This aside, I downloaded a SASL PAM module, which works as expected when in
/etc/pam.d/MyApp I replace pam_unix.so with the name of the shared library
associated with this module: pam_sasl.so. In this case, the SASL authentication
works, and the SASL daemon is not necessary: the SASL PAM module seems to be
matching passwords against the /etc/sasldb2 file directly.
Any feedback to help me understand what is going here will be much appreciated.
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T3bb539860cb02798-Maa46e06707d92c8a70b6273c
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
