On Fri, Mar 29, 2013 at 12:15 PM, Matt Broadstone <[email protected]> wrote: > On Fri, Mar 29, 2013 at 12:05 PM, Niphlod <[email protected]> wrote: >> uhm. Before smashing heads against the wall, there are 3 different >> "available methods" here..... >> >> 1) rely on nginx to authenticate users through pam (kinda of a basic auth, >> but checked against PAM) >> 2) rely on uwsgi to authenticate users through pam (kinda of a basic auth, >> but checked against PAM) >> 3) rely on web2py module to authenticate users through pam >> > > Yes, this is my understanding as well. > >> You want the users to reach web2py no matter what, and let the >> authentication happen using "web2py's logic".... assuming that the only >> thing you want is not having the username/password combos checked against a >> table in web2py's database but against PAM's database. >> > > Yes, this is what we are trying to do. To reiterate: we always want to > provide access to web2py, and through web2py's auth (using a username > and password form) we want to authenticate using PAM in the backend. > >> Unless I understood it wrong, apache and rocket work. This means (if you >> didn't mess with apache configs) that 3) works "out of the box" >> >> What it seems by your config is that you're trying to do 2), i.e. stopping >> users "one step before", letting uwsgi interact deal pam >> authentication......that is a different thing. Do you want 1), 2) or 3) ? > > My config is not doing 1 or 2, you may be confused by the fact that I > provided an /etc/pam.d/uwsgi configuration, and specified pam in the > uwsgi configuration. > > Here's what I _think_ is going on (though my understanding is spotty at best). > > * nginx is serving a python application using uwsgi > * nginx is properly configured, I can access the site and the web2py > app shows up > * web2py is running in the context of uwsgi (and thus inherits its > permissions) > * web2py has a pam auth module that loads a pam library, attempts to > connect to pam and authenticate with the credentials provided > > after all of those steps, I get the messages in my auth.log that I > posted above, indicating to me that whatever user is trying to > authenticate with pam doesn't actually have the rights to authenticate > against the /etc/shadow file. That was my intention with playing > around with /etc/pam.d/uwsgi config file, etc. > > Matt > > >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >>
Hey all, Just wanted to let you know I figured out what was wrong here. The problem was that ubuntu ships with a quite out-of-date version of uwsgi (1.0.3 in 12.04, and in recent releases only up to 1.2.x), which confuses PAM. If you're trying to do something similar, you need to run a version of uwsgi >= 1.4 Matt -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
