Man, we're still using web2py 2.0.9 so that was definitely not in the script before! That would have saved me a day of work :)
Matt On Tue, Apr 2, 2013 at 3:41 AM, Niphlod <[email protected]> wrote: > nice. The script shipped with web2py installs uwsgi from pip, so we're > covered! > > On Monday, April 1, 2013 4:48:59 PM UTC+2, Matt wrote: >> >> On Fri, Mar 29, 2013 at 12:15 PM, Matt Broadstone <[email protected]> >> wrote: >> > On Fri, Mar 29, 2013 at 12:05 PM, Niphlod <[email protected]> wrote: >> >> uhm. Before smashing heads against the wall, there are 3 different >> >> "available methods" here..... >> >> >> >> 1) rely on nginx to authenticate users through pam (kinda of a basic >> >> auth, >> >> but checked against PAM) >> >> 2) rely on uwsgi to authenticate users through pam (kinda of a basic >> >> auth, >> >> but checked against PAM) >> >> 3) rely on web2py module to authenticate users through pam >> >> >> > >> > Yes, this is my understanding as well. >> > >> >> You want the users to reach web2py no matter what, and let the >> >> authentication happen using "web2py's logic".... assuming that the only >> >> thing you want is not having the username/password combos checked >> >> against a >> >> table in web2py's database but against PAM's database. >> >> >> > >> > Yes, this is what we are trying to do. To reiterate: we always want to >> > provide access to web2py, and through web2py's auth (using a username >> > and password form) we want to authenticate using PAM in the backend. >> > >> >> Unless I understood it wrong, apache and rocket work. This means (if >> >> you >> >> didn't mess with apache configs) that 3) works "out of the box" >> >> >> >> What it seems by your config is that you're trying to do 2), i.e. >> >> stopping >> >> users "one step before", letting uwsgi interact deal pam >> >> authentication......that is a different thing. Do you want 1), 2) or 3) >> >> ? >> > >> > My config is not doing 1 or 2, you may be confused by the fact that I >> > provided an /etc/pam.d/uwsgi configuration, and specified pam in the >> > uwsgi configuration. >> > >> > Here's what I _think_ is going on (though my understanding is spotty at >> > best). >> > >> > * nginx is serving a python application using uwsgi >> > * nginx is properly configured, I can access the site and the web2py >> > app shows up >> > * web2py is running in the context of uwsgi (and thus inherits its >> > permissions) >> > * web2py has a pam auth module that loads a pam library, attempts to >> > connect to pam and authenticate with the credentials provided >> > >> > after all of those steps, I get the messages in my auth.log that I >> > posted above, indicating to me that whatever user is trying to >> > authenticate with pam doesn't actually have the rights to authenticate >> > against the /etc/shadow file. That was my intention with playing >> > around with /etc/pam.d/uwsgi config file, etc. >> > >> > Matt >> > >> > >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "web2py-users" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> >> Hey all, >> Just wanted to let you know I figured out what was wrong here. The >> problem was that ubuntu ships with a quite out-of-date version of >> uwsgi (1.0.3 in 12.04, and in recent releases only up to 1.2.x), which >> confuses PAM. If you're trying to do something similar, you need to >> run a version of uwsgi >= 1.4 >> >> Matt > > -- > > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
