Re: [ADMIN] PAM ldap
* Kavan, Dan (IMS) <[EMAIL PROTECTED]> [0156 16:56]: > Thanks for the reply, > > I did compile --with-pam. Although, the $PATH for the postgres user - > who I used to compile with didn't have /lib and /lib64 in it's path. I > don't see anything is configure.in or config.log to hint that pam isn't > configured, but I'll re-configure anyway. Is there a way to check PAM > is configured with postgresql? pam_unix2.so is located in > /lib(64)/security. I was wondering if both /lib and /lib/security > needed to be in the $PATH or if just /lib/security was needed. PATH isn't used for shared libs (/lib will be getting searched, or the machine probably wouldn't boot). There's a separate search path set for the dynamic linker to load shared libraries, but it's platform specific. (On a leenux you need to add the directory to /etc/ld.so.conf - or you did last time i used it (circa redhat 5.2 )) Or you could try setting LD_LIBRARY_PATH=/lib/security (that's a horrible hack, but it should work). If I was you I'd just add a --with-pam to your ./configure command line, and check config.log after that completes. To check this is your problem, try ldd - it tells you what shared libs a binary is linked against (and uses the search path I mentioned earlier). Mine shows (freebsd 5.3): [EMAIL PROTECTED]:rasputnik$ ldd `which postmaster` /usr/local/bin/postmaster: libintl.so.6 => /usr/local/lib/libintl.so.6 (0x28264000) libpam.so.2 => /usr/lib/libpam.so.2 (0x2826d000) libssl.so.3 => /usr/lib/libssl.so.3 (0x28274000) libcrypto.so.3 => /lib/libcrypto.so.3 (0x282a2000) libz.so.2 => /lib/libz.so.2 (0x28397000) libreadline.so.5 => /lib/libreadline.so.5 (0x283a7000) libcrypt.so.2 => /lib/libcrypt.so.2 (0x283d3000) libm.so.3 => /lib/libm.so.3 (0x283eb000) libutil.so.4 => /lib/libutil.so.4 (0x28405000) libc.so.5 => /lib/libc.so.5 (0x28411000) libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x284eb000) libncurses.so.5 => /lib/libncurses.so.5 (0x285d9000) > Also, forget about PAM for a minute. Bye then (I know jack about ident)! -- 'My life, and by extension everyone else's, is meaningless.' -- Bender Rasputin :: Jack of All Trades - Master of Nuns ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [ADMIN] PAM ldap
On Tue, Jan 18, 2005 at 11:56:25 -0500, "Kavan, Dan (IMS)" <[EMAIL PROTECTED]> wrote: > > Also, forget about PAM for a minute. Why does ident work locally, but > the host entry not work as easily?ident sameuser in host doesn't Are you running an ident server? One needs to be running on the machine the client is connecting from. ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [ADMIN] PAM ldap
Thanks for the reply, I did compile --with-pam. Although, the $PATH for the postgres user - who I used to compile with didn't have /lib and /lib64 in it's path. I don't see anything is configure.in or config.log to hint that pam isn't configured, but I'll re-configure anyway. Is there a way to check PAM is configured with postgresql? pam_unix2.so is located in /lib(64)/security. I was wondering if both /lib and /lib/security needed to be in the $PATH or if just /lib/security was needed. Also, forget about PAM for a minute. Why does ident work locally, but the host entry not work as easily?ident sameuser in host doesn't work for me. When I think about it though it makes sense. I'm coming in on pgadmin iii from a windows machine and a user logged into a windows domain. So, no wonder, it doesn't map right. It doesn't have any smith user logged in at the time. I've tried other combinations like a map name, user ident, pg user, but it doesn't work. ie TEST smith smith. And then TEST smith smith in the pg_ident.conf file. I really don't think postgresql is talking to our LDAP server. The only thing it can do is local (using the unix ldap setup). Thanks for all your insight, ~DjK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Davies Sent: Sunday, January 16, 2005 4:11 AM To: PostgreSQL Admin Subject: Re: [ADMIN] PAM ldap * Kavan, Dan (IMS) <[EMAIL PROTECTED]> [0149 18:49]: > > Hi, I'm running postgresql 8.0.rc5 on SUSE. > I have the pg_hba.conf file configured with > local all smith ident sameuser > host all smith ident sameuser > > The way authentication works with that is that configuration is that > if I'm logged in as smith with my company ldap server I can get in, > but if I'm not directly logged in as smith, I can't get in. Having > the word pam in this file at all causes an error. I'd like to use pam > so postgres could do it's own ldap/pam lookups, but I keep getting an > error that it doesn't know what pam is. I see in the logs that the pam server > starts, but I still get an error. You didn't show the broken config, but assuming it's something like # TYPE DATABASEUSERIP-ADDRESS IP-MASK METHOD hostsslall all 127.0.0.1 255.255.255.255 pam then perhaps you don't have pam support built into postgres? > /etc/pam.d/postgresql > authrequiredpam_unix2.sonullok > account requiredpam_unix2.so This is going to do unix auth, obviously, so you'll need to s/unix/ldap/ on that... -- 'You may need to metaphorically make a deal with the devil. By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat.' -- Bender Rasputin :: Jack of All Trades - Master of Nuns ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED] ---(end of broadcast)--- TIP 8: explain analyze is your friend
Re: [ADMIN] PAM ldap
* Kavan, Dan (IMS) <[EMAIL PROTECTED]> [0149 18:49]: > > Hi, I'm running postgresql 8.0.rc5 on SUSE. > I have the pg_hba.conf file configured with > local all smith ident sameuser > host all smith ident sameuser > > The way authentication works with that is that configuration is that if > I'm logged in as smith with my company ldap server I can get in, but if > I'm not directly logged in as smith, I can't get in. Having the word > pam in this file at all causes an error. I'd like to use pam so > postgres could do it's own ldap/pam lookups, but I keep getting an error > that it doesn't know what pam is. I see in the logs that the pam server > starts, but I still get an error. You didn't show the broken config, but assuming it's something like # TYPE DATABASEUSERIP-ADDRESS IP-MASK METHOD hostsslall all 127.0.0.1 255.255.255.255 pam then perhaps you don't have pam support built into postgres? > /etc/pam.d/postgresql > authrequiredpam_unix2.sonullok > account requiredpam_unix2.so This is going to do unix auth, obviously, so you'll need to s/unix/ldap/ on that... -- 'You may need to metaphorically make a deal with the devil. By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat.' -- Bender Rasputin :: Jack of All Trades - Master of Nuns ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
[ADMIN] PAM ldap
Hi, I'm running postgresql 8.0.rc5 on SUSE. I have the pg_hba.conf file configured with local all smith ident sameuser hostall smith ident sameuser The way authentication works with that is that configuration is that if I'm logged in as smith with my company ldap server I can get in, but if I'm not directly logged in as smith, I can't get in. Having the word pam in this file at all causes an error. I'd like to use pam so postgres could do it's own ldap/pam lookups, but I keep getting an error that it doesn't know what pam is. I see in the logs that the pam server starts, but I still get an error. With pam listed I get the red X. An error has occured. Error connecting to the server: FATAL: missing or erroneous pg_hba.conf HINT: See server log for details. See server log details below. What's wrong with syntax of my pg_hba.conf file? I've tried pam in all caps, adding postgresql after pam and adding pg_hba.conf after pam in pg_hba.conf, none of which helps. Thanks for any tips. It's harder to play once these systems hit production. serverlog LOG: database system was shut down at 2005-01-14 13:34:47 EST LOG: checkpoint record is at 0/AEA370 LOG: redo record is at 0/AEA370; undo record is at 0/0; shutdown TRUE LOG: next transaction ID: 628; next OID: 17232 LOG: database system is ready LOG: invalid entry in file "/sqldata/Linux.pgsql/tarpon5432/pg_hba.conf" at line 66, token "pam" FATAL: missing or erroneous pg_hba.conf file HINT: See server log for details. /var/log/messages Jan 14 13:37:23 tarpon su: (to root) postgres on /dev/pts/0 Jan 14 13:37:23 tarpon su: pam_unix2: session started for user root, service su /etc/pam.d/postgresql authrequiredpam_unix2.sonullok account requiredpam_unix2.so D.J. Kavan ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
[ADMIN] Pam Ldap (debian) solved
As noticed, he used pam_unix , as in a local connection, i just had to outcommend the 127.0.0.1 line in pam_ldap.conf to get it working.. ---(end of broadcast)--- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
[ADMIN] Pam Ldap (debian) problem
Hi, i dont get postgres working with pam to use an external ldap server to authenticate users. i think the problems is that postgres is using the wrong pam file, namely he uses pam_unix where he should use pam_ldap.so. postgres version 7.3.2 debian version 3 (kernel 2.4) any help is much appreciated ive included the following files: /etc/hosts /etc/pam.conf /etc/pam_ldap.conf /etc/pam.d/postgresql /etc/postgresql/pg_hba.conf /etc/postgresql/postgresql.conf /etc/postgresql/postmaster.conf /var/log/messages /var/log/postgres.log (is empty) /var/log/auth.log in short the logs: Sep 11 12:48:49 damian postgres[1892]: [1] LOG: connection received: host=10.18.10.47 port=32882 Sep 11 12:48:53 damian postgres[1893]: [1] LOG: connection received: host=10.18.10.47 port=32883 and Sep 11 12:48:49 damian PAM_unix[1892]: auth could not identify password for [wibrt] Sep 11 12:48:49 damian 18.10.47 authentication[1892]: [2] LOG: CheckPAMAuth: pam_authenticate failed: 'Conversation error' Sep 11 12:48:49 damian 18.10.47 authentication[1892]: [3] FATAL: PAM authentication failed for user "wibrt" Sep 11 12:48:53 damian PAM_unix[1893]: authentication failure; (uid=31) -> wibrt for sameuser service Sep 11 12:48:55 damian 18.10.47 authentication[1893]: [2] LOG: CheckPAMAuth: pam_authenticate failed: 'Authentication failure' Sep 11 12:48:55 damian 18.10.47 authentication[1893]: [3] FATAL: PAM authentication failed for user "wibrt" tnx, Wim auth.log Description: Binary data hosts Description: Binary data messages Description: Binary data nsswitch.conf Description: Binary data pam.conf Description: Binary data pam_ldap.conf Description: Binary data pg_hba.conf Description: Binary data postgresql Description: Binary data postmaster.conf Description: Binary data ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
