SASL and PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am developing a Linux application that will be using PAM for its authentication chores, and I am having difficulties understanding how the SASL daemon fits into the picture. In essence, what I want to do is for users of the application to authenticate themselves by means of a RADIUS server, with the authentication chores falling back on to SASL if the RADIUS server is unreachable.

In my system (which I will refer to henceforth as MySystem) I have created a user named user1 in SASL by means of the saslpasswd2 command, assigning password user1password to it. This user is also present locally in MySystem (i.e. there are entries for it in /etc/{passwd,group,shadow} but its local password is localuser1password.

At the same time, I have a file named MyApp in /etc/pam.d with the following contents:

#%PAM-1.0

auth                 sufficient     /lib64/security/pam_radius_auth.so    localifdown
auth                 required        pam_unix.so
account         required        pam_unix.so

I launch the SASL daemon with -a pam.

I then use the testsaslauthd tool as root as follows:

# testsaslauthd -u user1 -p user1password -s MyApp

On executing this command, the authentication is delegated to the RADIUS server (or servers) first. If they are reachable and user1 is defined with password user1password then the authentication will succeed, and nothing else will be done. If the RADIUS servers are reachable, but user1 is not defined, or it is, but with a password other than user1password, the authentication will fail, and nothing else will be done. This is all exactly as I want, and was expecting.

When the RADIUS servers are not reachable then the pam_unix.so lines in /etc/pam.d/MyApp kick in.  And  testsaslauthd returns the following diagnostic:

0: NO "authentication failed"

At the same time, the following diagnostic is entered in my syslog:

Jul 27 11:23:19 MySystem saslauthd[21935]:                 : auth failure: [user=user1] [service=MyApp] [realm=] [mech=pam] [reason=PAM auth error]

I know for a fact that the password I entered is the correct one. When I invoke testsaslauthd as above, but with -p localuser1password, I get exactly the same result - which, in this case, is what I expected.

What I am doing wrong? Why is the SASL authentication failing?

This aside, I downloaded a SASL PAM module, which works as expected when in /etc/pam.d/MyApp I replace pam_unix.so with the name of the shared library associated with this module: pam_sasl.so. In this case, the SASL authentication works, and the SASL daemon is not necessary: the SASL PAM module seems to be matching passwords against the /etc/sasldb2 file directly.

Any feedback to help me understand what is going here will be much appreciated.

[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux