Hello,
against SASL try adding a "@" and the hostname (of the host where
saslpasswd2 executed) after the username like this:
user1@hostname
Regards!
Valentin
На 27.07.22 г. в 20:49 ч., lovecraftesque via Info написа:
I am developing a Linux application that will be using PAM for its
authentication chores, and I am having difficulties understanding how
the SASL daemon fits into the picture. In essence, what I want to do
is for users of the application to authenticate themselves by means of
a RADIUS server, with the authentication chores falling back on to
SASL if the RADIUS server is unreachable.
In my system (which I will refer to henceforth as MySystem) I have
created a user named user1 in SASL by means of the saslpasswd2
command, assigning password user1password to it. This user is also
present locally in MySystem (i.e. there are entries for it in
/etc/{passwd,group,shadow} but its local password is localuser1password.
At the same time, I have a file named MyApp in /etc/pam.d with the
following contents:
#%PAM-1.0
auth sufficient /lib64/security/pam_radius_auth.so
localifdown
auth required pam_unix.so
account required pam_unix.so
I launch the SASL daemon with -a pam.
I then use the testsaslauthd tool as root as follows:
# testsaslauthd -u user1 -p user1password -s MyApp
On executing this command, the authentication is delegated to the
RADIUS server (or servers) first. If they are reachable and user1 is
defined with password user1password then the authentication will
succeed, and nothing else will be done. If the RADIUS servers are
reachable, but user1 is not defined, or it is, but with a password
other than user1password, the authentication will fail, and nothing
else will be done. This is all exactly as I want, and was expecting.
When the RADIUS servers are not reachable then the pam_unix.so lines
in /etc/pam.d/MyApp kick in. And testsaslauthd returns the following
diagnostic:
0: NO "authentication failed"
At the same time, the following diagnostic is entered in my syslog:
Jul 27 11:23:19 MySystem saslauthd[21935]: : auth
failure: [user=user1] [service=MyApp] [realm=] [mech=pam] [reason=PAM
auth error]
I know for a fact that the password I entered is the correct one. When
I invoke testsaslauthd as above, but with -p localuser1password, I get
exactly the same result - which, in this case, is what I expected.
What I am doing wrong? Why is the SASL authentication failing?
This aside, I downloaded a SASL PAM module, which works as expected
when in /etc/pam.d/MyApp I replace pam_unix.so with the name of the
shared library associated with this module: pam_sasl.so. In this case,
the SASL authentication works, and the SASL daemon is not necessary:
the SASL PAM module seems to be matching passwords against the
/etc/sasldb2 file directly.
Any feedback to help me understand what is going here will be much
appreciated.
*Cyrus <https://cyrus.topicbox.com/latest>* / Info / see discussions
<https://cyrus.topicbox.com/groups/info> + participants
<https://cyrus.topicbox.com/groups/info/members> + delivery options
<https://cyrus.topicbox.com/groups/info/subscription> Permalink
<https://cyrus.topicbox.com/groups/info/T3bb539860cb02798-Maa46e06707d92c8a70b6273c>
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T3bb539860cb02798-M62f0ac1fcc5a587a451f74fd
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
