Pam-mysql

P. webwiz at pl.net
Wed Mar 5 23:35:50 UTC 2008 

After nearly three days sweating on this im now stuck. Read out.

I want apache to authenticate access solely via mysql. The new
mod-authn-dbd is reputed to be buggy, and the old mod-auth-apache2-mysql
is absent in debian etch. So it appears im gpoing with pam.

Oddly, access works when it matchs a /etc/passwd user, which I dont want!.
Everything else fails to login, and presents a new login prompt, except
where a mysql entry matches, in which case the PAM log (mysql) says:

entry                    user     pid	host	ts
AUTHENTICATION SUCCESS test 6193 (unknown) 2008-02-28 10:14:24

yet the browser gets:

401 Authorization Required

This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password),
or your browser doesn't understand how to supply the credentials required.

and var/log/apache/error.log gets

PAM: user 'ee'  - invalid account: User not known to the underlying
authentication module


and /var/log/auth.log gets

Feb 28 11:16:21 solarbus1 apache2: pam_mysql - SELECT
solarbus.spacepersons.password FROM so
larbus.spacepersons WHERE solarbus.spacepersons.username = 'ee'
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_sql_log() called.
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_format_string()
called
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_quick_escape()
called.
Feb 28 11:16:21 solarbus1 last message repeated 8 times
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - INSERT INTO pamlog (entry,
user, host, pid, t
s) VALUES ('AUTHENTICATION SUCCESS', 'ee', '(unknown)', '6193', NOW())
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_sql_log()
returning 0.
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_check_passwd()
returning 0.
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_sm_authenticate()
returning 0.
Feb 28 11:16:21 solarbus1 apache2: (pam_unix) could not identify user
(from getpwnam(ee))
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_release_ctx()
called.
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_destroy_ctx()
called.
Feb 28 11:16:21 solarbus1 apache2: pam_mysql - pam_mysql_close_db() called.


Looks like pam_mysql is oking it but pam_unix is being authoritative. Dont
know enough about pam to know why
Any clues appreciated.

Peter

Heres my /etc/pam.d/apache2

auth require pam_mysql.so verbose=1  user=peter  passwd=xxxxx 
host=127.0.0.1  db=solarb
us table=solarbus.spacepersons  usercolumn=solarbus.spacepersons.username 
passwdcolumn=sola
rbus.spacepersons.password crypt=0 sqllog=true logtable=pamlog
logmsgcolumn=entry logusercol
umn=user logpidcolumn=pid loghostcolumn=host logtimecolumn=ts

and /var/www/.htaccess

AuthPAM_Enabled on
AuthPAM_FallThrough off
AuthType Basic
AuthName "Intranet"
AuthUserFile /dev/null
AuthBasicAuthoritative Off
require valid-user

More information about the Pam-list mailing list