pam_radius + saslauthd + cyrus imapd

Fatemeh Taj fatemeh53 at yahoo.com
Wed Jun 2 04:27:30 UTC 2004 

Joe, 
I did what you said, it seems that there is a
non-ending while loop here (for me) and the last error
I see is what I have printed below (socket23). It gets
the username and goes to this loop and never comes out
to get the password.

Can you help me?

Thanks 
Fatemeh Taj 

 while (!feof(fserver) &&
         (fgets (buffer, sizeof(buffer), fserver) !=
(char*) NULL) &&
         (!ferror(fserver))) {
    line++;
    p = buffer;

    /*
     *  Skip blank lines and whitespace
     */
    while (*p &&
           ((*p == ' ') || (*p == '\t') ||
            (*p == '\r') || (*p == '\n'))) p++;

    /*
     *  Nothing, or just a comment.  Ignore the line.
     */
    if ((!*p) || (*p == '#')) {
      continue;
    }

    timeout = 3;
    if (sscanf(p, "%s %s %d", hostname, secret,
&timeout) < 2) {
      _pam_log(LOG_ERR, "ERROR reading %s, line %d:
Could not read hostname or secret\n",
               conf_file, line);
      continue; /* invalid line */
    } else {                    /* read it in and save
the data */
      radius_server_t *tmp;

      tmp = malloc(sizeof(radius_server_t));
      if (server) {
        server->next = tmp;
        server = server->next;
      } else {
        conf->server = tmp;
        server= tmp;            /* first time */
      }

      /* sometime later do memory checks here */
      server->hostname = strdup(hostname);
      server->secret = strdup(secret);
      server->accounting = accounting;
      server->port = 0;
      if ((timeout < 1) || (timeout > 60)) {
        server->timeout = 3;
      } else {
        server->timeout = timeout;
      }
      server->next = NULL;
    }
   _pam_log(LOG_ERR, "Unable to open socket23: %s\n",
strerror(errno));
  }
   _pam_log(LOG_ERR, "Unable to open socket24: %s\n",
strerror(errno));
  fclose(fserver);



--- Joe Lewis <joe at joe-lewis.com> wrote:
> 
> > Joe
> > As I said:
> >  Also I know that this machine can
> >> establish radius connection (udp/1812) to the
> >> radius server. I tried it using nc command.
> 
> Sorry about that.  Sometimes I read WAY to quickly.
> 
> > Using nc command I could establich udp connection
> to
> > 1812 port and the firewall permits the connection.
> > It's not a network problem :(
> 
> Okay.  After the module prints "Got user name %s",
> it calls a function
> initialize().  This function get's the IP address of
> the host to contact
> for the radius information.  If it returns any PAM_*
> errors, the module
> will quit right there.  However, if it continues on,
> there is the next
> step of checking for the service name or the
> client_id - if both of those
> fail, the module will quit.  At this point, an open
> socket should be
> connected to the Radius server, and the module set's
> up the Radius packet.
>  But it won't quit here.  It grabs the password, and
> then determines if it
> fails.  If it does not, you should see a debug
> message stating "Got
> password %s".
> 
> So, in this process, there are actually a multitude
> of ways that this
> could be "malfunctioning".  If it can't find the
> /etc/raddb/servers file,
> it will complain and log it.  So, obviously, you DO
> have the file and it
> is in the right place.  In addition, in the
> initialize function, it checks
> for server configs, and that is working fine.  Then
> it opens the socket. 
> If it fails to open the socket, IT SHOULD PRINT A
> LOG LINE.  Now, I would
> suggest that you dump a couple of
> 
>  _pam_log(LOG_ERR, "Failed to open RADIUS socket:
> %s\n", strerror(errno));
> 
> lines throughout the code, primarily AFTER the
> initialize function exits,
> and then throughout the initialize function itself. 
> This should help you
> pin point exactly what process is causing the
> problem.
> 
> The other option is to run 'gdb' on it (attach it to
> the process after it
> is started).  Try doing it in the "su" service, so
> that you can do most of
> the leg work on the command line.  Then you can step
> through the process
> to figure out what is going on.  Some time between
> printing "Got user
> name" and the next print functions, the module is
> doing something wrong. 
> Let me know what you find.
> 
> Joe
> 
> > Joe
> > As I said:
> >  Also I know that this machine can
> >> establish radius connection (udp/1812) to the
> >> radius server. I tried it using nc command.
> >
> > Using nc command I could establich udp connection
> to
> > 1812 port and the firewall permits the connection.
> > It's not a network problem :(
> >
> > --Fatemeh
> >
> > --- Joe Lewis <joe at joe-lewis.com> wrote:
> >> Have you run network checks to ensure that ports
> are
> >> being opened?  You
> >> might have a firewall on the sending side, the
> >> recieving side, or
> >> somewhere in between that is causing problems.
> >> Telnet on the radius port
> >> and verify that you can get a connection.
> >>
> >> Joe
> >>
> >> > Dear All,
> >> > I did install cyrus imapd 2.2.3 on redhat
> >> > enterprise 3.Now I want authenticate users
> trough
> >> a
> >> > radius server.I have done it previously on
> redhat
> >> 7.1
> >> > and it works fine But now pam_radius does not
> send
> >> the
> >> > request to the radiusserver.
> >> > Maybe here
> >> > is not the proper place to ask this, but I
> though
> >> you
> >> > might have such experience.
> >> >
> >> > I have:
> >> > --sasl_passwd_check=saslauthd
> sasl_mech_list=PLAIN
> >> > --in /etc/pam.d/pop I have
> >> > auth required  /lib/security/pam_radius_auth.so
> >> debug
> >> > --and have configured
> >> > /etc/raddb/server too and the permission is
> 755.
> >> > --Also /lib/security/pam_radius_auth.so is
> >> > available too. (pam_radius 1.3.16)I ran
> saslauthd
> >> with
> >> > -a pam , it get the username but there
> >> > is no sign of sending the request to radius
> >> server.
> >> >
> >> > log:
> >> > saslauthd[2859]: rel_accept_lock : released
> accept
> >> > lock
> >> > May22 saslauthd[2860]: get_accept_lock :
> acquired
> >> > accept lock
> >> > May 2212:06:56 test saslauthd[2859]:
> >> pam_radius_auth:
> >> > Got user name fatemehand
> >> >
> >> > nothing about sending request is found in log.
> >> >
> >> > With my tests I know that pam_radius_auth does
> >> read
> >> > the /etc/radd/server but does not send any
> request
> >> to
> >> > radius server. Also I know that this machine
> can
> >> > establish radius connection (udp/1812) to the
> >> > radius server. I tried it using nc command. 
> Any
> >> > comment is really appriciated.
> >> >
> >> >
> >> > Please help.
> >> > Thanks F. Taj
> >> > P.S, I have asked it in cyrus imapd and cyrus
> sasl
> >> > list too but no answer :(
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > __________________________________
> >> > Do you Yahoo!?
> >> > Friends.  Fun.  Try the all-new Yahoo!
> Messenger.
> >> > http://messenger.yahoo.com/
> >> >
> >> >
> >> > _______________________________________________
> >> > Pam-list mailing list
> >> > Pam-list at redhat.com
> >> >
> https://www.redhat.com/mailman/listinfo/pam-list
> >> >
> >>
> >>
> >> Joe Lewis
> >>
> >>
> >> _______________________________________________
> >> Pam-list mailing list
> >> Pam-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pam-list
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Friends.  Fun.  Try the all-new Yahoo! Messenger.
> > http://messenger.yahoo.com/
> >
> >
> 
=== message truncated ===




	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

More information about the Pam-list mailing list