pam_radius + saslauthd + cyrus imapd

Joe Lewis joe at joe-lewis.com
Mon May 31 02:16:49 UTC 2004 

> Joe
> As I said:
>  Also I know that this machine can
>> establish radius connection (udp/1812) to the
>> radius server. I tried it using nc command.

Sorry about that.  Sometimes I read WAY to quickly.

> Using nc command I could establich udp connection to
> 1812 port and the firewall permits the connection.
> It's not a network problem :(

Okay.  After the module prints "Got user name %s", it calls a function
initialize().  This function get's the IP address of the host to contact
for the radius information.  If it returns any PAM_* errors, the module
will quit right there.  However, if it continues on, there is the next
step of checking for the service name or the client_id - if both of those
fail, the module will quit.  At this point, an open socket should be
connected to the Radius server, and the module set's up the Radius packet.
 But it won't quit here.  It grabs the password, and then determines if it
fails.  If it does not, you should see a debug message stating "Got
password %s".

So, in this process, there are actually a multitude of ways that this
could be "malfunctioning".  If it can't find the /etc/raddb/servers file,
it will complain and log it.  So, obviously, you DO have the file and it
is in the right place.  In addition, in the initialize function, it checks
for server configs, and that is working fine.  Then it opens the socket. 
If it fails to open the socket, IT SHOULD PRINT A LOG LINE.  Now, I would
suggest that you dump a couple of

 _pam_log(LOG_ERR, "Failed to open RADIUS socket: %s\n", strerror(errno));

lines throughout the code, primarily AFTER the initialize function exits,
and then throughout the initialize function itself.  This should help you
pin point exactly what process is causing the problem.

The other option is to run 'gdb' on it (attach it to the process after it
is started).  Try doing it in the "su" service, so that you can do most of
the leg work on the command line.  Then you can step through the process
to figure out what is going on.  Some time between printing "Got user
name" and the next print functions, the module is doing something wrong. 
Let me know what you find.

Joe

> Joe
> As I said:
>  Also I know that this machine can
>> establish radius connection (udp/1812) to the
>> radius server. I tried it using nc command.
>
> Using nc command I could establich udp connection to
> 1812 port and the firewall permits the connection.
> It's not a network problem :(
>
> --Fatemeh
>
> --- Joe Lewis <joe at joe-lewis.com> wrote:
>> Have you run network checks to ensure that ports are
>> being opened?  You
>> might have a firewall on the sending side, the
>> recieving side, or
>> somewhere in between that is causing problems.
>> Telnet on the radius port
>> and verify that you can get a connection.
>>
>> Joe
>>
>> > Dear All,
>> > I did install cyrus imapd 2.2.3 on redhat
>> > enterprise 3.Now I want authenticate users trough
>> a
>> > radius server.I have done it previously on redhat
>> 7.1
>> > and it works fine But now pam_radius does not send
>> the
>> > request to the radiusserver.
>> > Maybe here
>> > is not the proper place to ask this, but I though
>> you
>> > might have such experience.
>> >
>> > I have:
>> > --sasl_passwd_check=saslauthd sasl_mech_list=PLAIN
>> > --in /etc/pam.d/pop I have
>> > auth required  /lib/security/pam_radius_auth.so
>> debug
>> > --and have configured
>> > /etc/raddb/server too and the permission is 755.
>> > --Also /lib/security/pam_radius_auth.so is
>> > available too. (pam_radius 1.3.16)I ran saslauthd
>> with
>> > -a pam , it get the username but there
>> > is no sign of sending the request to radius
>> server.
>> >
>> > log:
>> > saslauthd[2859]: rel_accept_lock : released accept
>> > lock
>> > May22 saslauthd[2860]: get_accept_lock : acquired
>> > accept lock
>> > May 2212:06:56 test saslauthd[2859]:
>> pam_radius_auth:
>> > Got user name fatemehand
>> >
>> > nothing about sending request is found in log.
>> >
>> > With my tests I know that pam_radius_auth does
>> read
>> > the /etc/radd/server but does not send any request
>> to
>> > radius server. Also I know that this machine can
>> > establish radius connection (udp/1812) to the
>> > radius server. I tried it using nc command.  Any
>> > comment is really appriciated.
>> >
>> >
>> > Please help.
>> > Thanks F. Taj
>> > P.S, I have asked it in cyrus imapd and cyrus sasl
>> > list too but no answer :(
>> >
>> >
>> >
>> >
>> >
>> > __________________________________
>> > Do you Yahoo!?
>> > Friends.  Fun.  Try the all-new Yahoo! Messenger.
>> > http://messenger.yahoo.com/
>> >
>> >
>> > _______________________________________________
>> > Pam-list mailing list
>> > Pam-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/pam-list
>> >
>>
>>
>> Joe Lewis
>>
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends.  Fun.  Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>


Joe Lewis

More information about the Pam-list mailing list