Email address as username. about pam-mysql HOT 12 CLOSED

Interesting... Assume the same test rig as described above, by the way. Then... Debian packages a 'pamtester' package. If I search and replace (in my user database table, obviously) a username for email address and use 'pamtester' it authenticates fine with the email address as username at first, then after the search and replace authenticates fine with the email address as well, so the problem with authenticating as an email address with the code as-is must be elsewhere in the chain. But there is still the issue of having an email column as well as a username column to account for here so I'll probably write a patch for that and submit it.

from pam-mysql.

A slight expansion on the caveats around "saslauthd -r":

         Note that the realm will still be passed, which may
         lead to unexpected behavior for authentication mechanisms that
         make use of the realm, however for mechanisms which don't, such
         as getpwent, this is the only way to authenticate domain-specific
         users sharing the same userid.

from pam-mysql.

Heavily redacted, for obvious reasons. But... This would tend to suggest it's not saslauthd either:

login@server:~# testsaslauthd -u user@domain -p `cat /tmp/pass`  -r "domain" -s service
0: OK "Success."
login@server:~# testsaslauthd -u user@domain -p `cat /tmp/pass`  -r "" -s service
0: OK "Success."

Rather that it's in the server in front of both.

from pam-mysql.

There is a user-map pam module that might accomplish this sort of thing a bit easier, but it does not appear to have been picked up by debian, I don't know about other major distros: https://mariadb.com/kb/en/configuring-pam-authentication-and-user-mapping-with-unix-authentication/#installing-the-pam_user_map-pam-module

from pam-mysql.

Thanks for your messages. Did you have any success in the end?

from pam-mysql.

The above is about as far as I took it by the looks of things. I was in the middle of a server build (one that would have benefited a bit from this capability) and had a bad day with a certain vendor's software products and felt like looking into it, but the rest of the server build took precedence. I'll try and return to it at some point, but can't make any promises. Probably the next time a certain vendor's products lead me down this path though!

It should be a trivial process to test, I just didn't want to do it on a production server with something compiled from source rather than a distro package. Maybe it's a job for a weekend though on a development machine first.

from pam-mysql.

Ok; thanks!

from pam-mysql.

Reasons uncertain, only the version of pam_user_map.c up to the mariadb 10.1 compiles. Later versions require a config_auth_pam.h file which is in the .gitignore for the mariadb source code, but looks like it was intended to be included at some point. Maybe they couldn't get it to work with their new build system, who knows?

I got it to build basically by the book from the web page above once I found only up to 10.1 builds.
docker run -t -i debian:buster bash
apt-get update && apt-get install wget build-essential libpam0g-dev
cd /tmp/
wget https://raw.githubusercontent.com/MariaDB/server/10.1/plugin/auth_pam/mapper/pam_user_map.c
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so

I think the ansible run I was waiting on while doing this has got 'stuck' so I'd best return to it now.

from pam-mysql.

Oh, this seems to at least compile a more recent version:

root@6cf26832f024:/tmp# apt-get install libmariadb-dev
root@6cf26832f024:/tmp# wget https://raw.githubusercontent.com/MariaDB/server/10.6/plugin/auth_pam/mapper/pam_user_map.c
---> Edit the above to use plugin_auth_common.h instead of config_auth_pam.h
root@6cf26832f024:/tmp# gcc -I/usr/include/mariadb/mysql/ pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so

But when I make it live with any of these 3 formats of map, I can't authenticate anything at all, it would appear:

"user@domain": otheruser

user@domain: otheruser

3. Completely blank map file.

So I don't think the pam_user_map module is a thing that can help here or with any other such scenario either.

It does seem to authenticate if you have this type of thing in the map file:

user: otheruser

But thereafter my mail server cannot associate the user with its mailbox so that's no good, for me at least.

from pam-mysql.

Thanks for the info. I'll give it a try this evening, when I'm finished work.

from pam-mysql.

I did some more random research around this matter, and it seems that another tiresome consequence of the lack of it is that autoconfiguration for Thunderbird/Outlook can't work properly unless your username exactly matches your email address local part in all cases, because the only other dynamic option seems to be to use the full email address as a username.

from pam-mysql.

So, random further look at stuff, and this suggests that it is possible with pam-mysql at that, and it's dated 25 February 2015 (the significance being it's several years before Nigel ported this project to github). Postfix though, and I don't use that.

https://us.informatiweb-pro.net/system-admin/linux/debian-install-and-secure-a-complete-mail-server--4.html

The only immediately notable thing I can see there is that it only uses auth & account PAM checks, where my own config that I tested stuff on previously probably used session and other PAM modules as well by default, so maybe cutting things back to just pam-mysql will unlock this capability.

That's one for another day though as it's bed time here.

from pam-mysql.