pam_radius + saslauthd + cyrus imapd
Joe Lewis
joe at joe-lewis.com
Wed Jun 2 18:12:33 UTC 2004
Are you getting the
ERROR reading %s, line %d:
Could not read hostname or secret\n"
Line? You have that just inside of an if () block, but nothing in the
"else" side of things. We may be getting somewhere :) .
Put another log line in the "else" section printing the hostname, the
secret, and the timeout just to verify that it is reading the line in
your config file properly. We're getting close!
Joe
Fatemeh Taj wrote:
>Joe,
>I did what you said, it seems that there is a
>non-ending while loop here (for me) and the last error
>I see is what I have printed below (socket23). It gets
>the username and goes to this loop and never comes out
>to get the password.
>
>Can you help me?
>
>Thanks
>Fatemeh Taj
>
> while (!feof(fserver) &&
> (fgets (buffer, sizeof(buffer), fserver) !=
>(char*) NULL) &&
> (!ferror(fserver))) {
> line++;
> p = buffer;
>
> /*
> * Skip blank lines and whitespace
> */
> while (*p &&
> ((*p == ' ') || (*p == '\t') ||
> (*p == '\r') || (*p == '\n'))) p++;
>
> /*
> * Nothing, or just a comment. Ignore the line.
> */
> if ((!*p) || (*p == '#')) {
> continue;
> }
>
> timeout = 3;
> if (sscanf(p, "%s %s %d", hostname, secret,
>&timeout) < 2) {
> _pam_log(LOG_ERR, "ERROR reading %s, line %d:
>Could not read hostname or secret\n",
> conf_file, line);
> continue; /* invalid line */
> } else { /* read it in and save
>the data */
> radius_server_t *tmp;
>
> tmp = malloc(sizeof(radius_server_t));
> if (server) {
> server->next = tmp;
> server = server->next;
> } else {
> conf->server = tmp;
> server= tmp; /* first time */
> }
>
> /* sometime later do memory checks here */
> server->hostname = strdup(hostname);
> server->secret = strdup(secret);
> server->accounting = accounting;
> server->port = 0;
> if ((timeout < 1) || (timeout > 60)) {
> server->timeout = 3;
> } else {
> server->timeout = timeout;
> }
> server->next = NULL;
> }
> _pam_log(LOG_ERR, "Unable to open socket23: %s\n",
>strerror(errno));
> }
> _pam_log(LOG_ERR, "Unable to open socket24: %s\n",
>strerror(errno));
> fclose(fserver);
>
>
>
>--- Joe Lewis <joe at joe-lewis.com> wrote:
>
>
>>>Joe
>>>As I said:
>>> Also I know that this machine can
>>>
>>>
>>>>establish radius connection (udp/1812) to the
>>>>radius server. I tried it using nc command.
>>>>
>>>>
>>Sorry about that. Sometimes I read WAY to quickly.
>>
>>
>>
>>>Using nc command I could establich udp connection
>>>
>>>
>>to
>>
>>
>>>1812 port and the firewall permits the connection.
>>>It's not a network problem :(
>>>
>>>
>>Okay. After the module prints "Got user name %s",
>>it calls a function
>>initialize(). This function get's the IP address of
>>the host to contact
>>for the radius information. If it returns any PAM_*
>>errors, the module
>>will quit right there. However, if it continues on,
>>there is the next
>>step of checking for the service name or the
>>client_id - if both of those
>>fail, the module will quit. At this point, an open
>>socket should be
>>connected to the Radius server, and the module set's
>>up the Radius packet.
>> But it won't quit here. It grabs the password, and
>>then determines if it
>>fails. If it does not, you should see a debug
>>message stating "Got
>>password %s".
>>
>>So, in this process, there are actually a multitude
>>of ways that this
>>could be "malfunctioning". If it can't find the
>>/etc/raddb/servers file,
>>it will complain and log it. So, obviously, you DO
>>have the file and it
>>is in the right place. In addition, in the
>>initialize function, it checks
>>for server configs, and that is working fine. Then
>>it opens the socket.
>>If it fails to open the socket, IT SHOULD PRINT A
>>LOG LINE. Now, I would
>>suggest that you dump a couple of
>>
>> _pam_log(LOG_ERR, "Failed to open RADIUS socket:
>>%s\n", strerror(errno));
>>
>>lines throughout the code, primarily AFTER the
>>initialize function exits,
>>and then throughout the initialize function itself.
>>This should help you
>>pin point exactly what process is causing the
>>problem.
>>
>>The other option is to run 'gdb' on it (attach it to
>>the process after it
>>is started). Try doing it in the "su" service, so
>>that you can do most of
>>the leg work on the command line. Then you can step
>>through the process
>>to figure out what is going on. Some time between
>>printing "Got user
>>name" and the next print functions, the module is
>>doing something wrong.
>>Let me know what you find.
>>
>>Joe
>>
>>
>>
>>>Joe
>>>As I said:
>>> Also I know that this machine can
>>>
>>>
>>>>establish radius connection (udp/1812) to the
>>>>radius server. I tried it using nc command.
>>>>
>>>>
>>>Using nc command I could establich udp connection
>>>
>>>
>>to
>>
>>
>>>1812 port and the firewall permits the connection.
>>>It's not a network problem :(
>>>
>>>--Fatemeh
>>>
>>>--- Joe Lewis <joe at joe-lewis.com> wrote:
>>>
>>>
>>>>Have you run network checks to ensure that ports
>>>>
>>>>
>>are
>>
>>
>>>>being opened? You
>>>>might have a firewall on the sending side, the
>>>>recieving side, or
>>>>somewhere in between that is causing problems.
>>>>Telnet on the radius port
>>>>and verify that you can get a connection.
>>>>
>>>>Joe
>>>>
>>>>
>>>>
>>>>>Dear All,
>>>>>I did install cyrus imapd 2.2.3 on redhat
>>>>>enterprise 3.Now I want authenticate users
>>>>>
>>>>>
>>trough
>>
>>
>>>>a
>>>>
>>>>
>>>>>radius server.I have done it previously on
>>>>>
>>>>>
>>redhat
>>
>>
>>>>7.1
>>>>
>>>>
>>>>>and it works fine But now pam_radius does not
>>>>>
>>>>>
>>send
>>
>>
>>>>the
>>>>
>>>>
>>>>>request to the radiusserver.
>>>>>Maybe here
>>>>>is not the proper place to ask this, but I
>>>>>
>>>>>
>>though
>>
>>
>>>>you
>>>>
>>>>
>>>>>might have such experience.
>>>>>
>>>>>I have:
>>>>>--sasl_passwd_check=saslauthd
>>>>>
>>>>>
>>sasl_mech_list=PLAIN
>>
>>
>>>>>--in /etc/pam.d/pop I have
>>>>>auth required /lib/security/pam_radius_auth.so
>>>>>
>>>>>
>>>>debug
>>>>
>>>>
>>>>>--and have configured
>>>>>/etc/raddb/server too and the permission is
>>>>>
>>>>>
>>755.
>>
>>
>>>>>--Also /lib/security/pam_radius_auth.so is
>>>>>available too. (pam_radius 1.3.16)I ran
>>>>>
>>>>>
>>saslauthd
>>
>>
>>>>with
>>>>
>>>>
>>>>>-a pam , it get the username but there
>>>>>is no sign of sending the request to radius
>>>>>
>>>>>
>>>>server.
>>>>
>>>>
>>>>>log:
>>>>>saslauthd[2859]: rel_accept_lock : released
>>>>>
>>>>>
>>accept
>>
>>
>>>>>lock
>>>>>May22 saslauthd[2860]: get_accept_lock :
>>>>>
>>>>>
>>acquired
>>
>>
>>>>>accept lock
>>>>>May 2212:06:56 test saslauthd[2859]:
>>>>>
>>>>>
>>>>pam_radius_auth:
>>>>
>>>>
>>>>>Got user name fatemehand
>>>>>
>>>>>nothing about sending request is found in log.
>>>>>
>>>>>With my tests I know that pam_radius_auth does
>>>>>
>>>>>
>>>>read
>>>>
>>>>
>>>>>the /etc/radd/server but does not send any
>>>>>
>>>>>
>>request
>>
>>
>>>>to
>>>>
>>>>
>>>>>radius server. Also I know that this machine
>>>>>
>>>>>
>>can
>>
>>
>>>>>establish radius connection (udp/1812) to the
>>>>>radius server. I tried it using nc command.
>>>>>
>>>>>
>>Any
>>
>>
>>>>>comment is really appriciated.
>>>>>
>>>>>
>>>>>Please help.
>>>>>Thanks F. Taj
>>>>>P.S, I have asked it in cyrus imapd and cyrus
>>>>>
>>>>>
>>sasl
>>
>>
>>>>>list too but no answer :(
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>__________________________________
>>>>>Do you Yahoo!?
>>>>>Friends. Fun. Try the all-new Yahoo!
>>>>>
>>>>>
>>Messenger.
>>
>>
>>>>>http://messenger.yahoo.com/
>>>>>
>>>>>
>>>>>_______________________________________________
>>>>>Pam-list mailing list
>>>>>Pam-list at redhat.com
>>>>>
>>>>>
>>>>>
>>https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>>>Joe Lewis
>>>>
>>>>
>>>>_______________________________________________
>>>>Pam-list mailing list
>>>>Pam-list at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/pam-list
>>>>
>>>>
>>>
>>>
>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>Friends. Fun. Try the all-new Yahoo! Messenger.
>>>http://messenger.yahoo.com/
>>>
>>>
>>>
>>>
>=== message truncated ===
>
>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>
>_______________________________________________
>Pam-list mailing list
>Pam-list at redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20040602/edbdd290/attachment.htm>
More information about the Pam-list
mailing list