Comments (12)
Interesting... Assume the same test rig as described above, by the way. Then... Debian packages a 'pamtester' package. If I search and replace (in my user database table, obviously) a username for email address and use 'pamtester' it authenticates fine with the email address as username at first, then after the search and replace authenticates fine with the email address as well, so the problem with authenticating as an email address with the code as-is must be elsewhere in the chain. But there is still the issue of having an email column as well as a username column to account for here so I'll probably write a patch for that and submit it.
from pam-mysql.
A slight expansion on the caveats around "saslauthd -r":
Note that the realm will still be passed, which may
lead to unexpected behavior for authentication mechanisms that
make use of the realm, however for mechanisms which don't, such
as getpwent, this is the only way to authenticate domain-specific
users sharing the same userid.
from pam-mysql.
Heavily redacted, for obvious reasons. But... This would tend to suggest it's not saslauthd either:
login@server:~# testsaslauthd -u user@domain -p `cat /tmp/pass` -r "domain" -s service
0: OK "Success."
login@server:~# testsaslauthd -u user@domain -p `cat /tmp/pass` -r "" -s service
0: OK "Success."
Rather that it's in the server in front of both.
from pam-mysql.
There is a user-map pam module that might accomplish this sort of thing a bit easier, but it does not appear to have been picked up by debian, I don't know about other major distros: https://mariadb.com/kb/en/configuring-pam-authentication-and-user-mapping-with-unix-authentication/#installing-the-pam_user_map-pam-module
from pam-mysql.
Thanks for your messages. Did you have any success in the end?
from pam-mysql.
The above is about as far as I took it by the looks of things. I was in the middle of a server build (one that would have benefited a bit from this capability) and had a bad day with a certain vendor's software products and felt like looking into it, but the rest of the server build took precedence. I'll try and return to it at some point, but can't make any promises. Probably the next time a certain vendor's products lead me down this path though!
It should be a trivial process to test, I just didn't want to do it on a production server with something compiled from source rather than a distro package. Maybe it's a job for a weekend though on a development machine first.
from pam-mysql.
Ok; thanks!
from pam-mysql.
Reasons uncertain, only the version of pam_user_map.c up to the mariadb 10.1 compiles. Later versions require a config_auth_pam.h file which is in the .gitignore for the mariadb source code, but looks like it was intended to be included at some point. Maybe they couldn't get it to work with their new build system, who knows?
I got it to build basically by the book from the web page above once I found only up to 10.1 builds.
docker run -t -i debian:buster bash
apt-get update && apt-get install wget build-essential libpam0g-dev
cd /tmp/
wget https://raw.githubusercontent.com/MariaDB/server/10.1/plugin/auth_pam/mapper/pam_user_map.c
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
I think the ansible run I was waiting on while doing this has got 'stuck' so I'd best return to it now.
from pam-mysql.
Oh, this seems to at least compile a more recent version:
root@6cf26832f024:/tmp# apt-get install libmariadb-dev
root@6cf26832f024:/tmp# wget https://raw.githubusercontent.com/MariaDB/server/10.6/plugin/auth_pam/mapper/pam_user_map.c
---> Edit the above to use plugin_auth_common.h instead of config_auth_pam.h
root@6cf26832f024:/tmp# gcc -I/usr/include/mariadb/mysql/ pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
But when I make it live with any of these 3 formats of map, I can't authenticate anything at all, it would appear:
"user@domain": otheruser
user@domain: otheruser
- Completely blank map file.
So I don't think the pam_user_map module is a thing that can help here or with any other such scenario either.
It does seem to authenticate if you have this type of thing in the map file:
user: otheruser
But thereafter my mail server cannot associate the user with its mailbox so that's no good, for me at least.
from pam-mysql.
Thanks for the info. I'll give it a try this evening, when I'm finished work.
from pam-mysql.
I did some more random research around this matter, and it seems that another tiresome consequence of the lack of it is that autoconfiguration for Thunderbird/Outlook can't work properly unless your username exactly matches your email address local part in all cases, because the only other dynamic option seems to be to use the full email address as a username.
from pam-mysql.
So, random further look at stuff, and this suggests that it is possible with pam-mysql at that, and it's dated 25 February 2015 (the significance being it's several years before Nigel ported this project to github). Postfix though, and I don't use that.
The only immediately notable thing I can see there is that it only uses auth & account PAM checks, where my own config that I tested stuff on previously probably used session and other PAM modules as well by default, so maybe cutting things back to just pam-mysql will unlock this capability.
That's one for another day though as it's bed time here.
from pam-mysql.
Related Issues (20)
- Invalid argument with crypt HOT 10
- Time to roll v0.8.2? HOT 4
- crypt() - Invalid argument when crypted PW contains " HOT 1
- Feature: Don't try_first_pass when password undefined HOT 3
- Dont erro log, and dont login with pam-mysql HOT 3
- autoreconf -f -i exits with code 1 "error: possibly undefined macro" HOT 3
- pam_mysql_check_passwd() returning 6 HOT 28
- pam_sm_authenticate() returning 3. the return :( HOT 2
- compat_make_scrambled_password_323 error HOT 5
- Regression testing would be a good idea. HOT 5
- I got "malloc(): invalid size (unsorted)" when using "crypt=1" HOT 2
- supressing log messages HOT 1
- install_dir is hard coded to '/lib/security' HOT 1
- Is PAM-MySQL friendly to MariaDB HOT 1
- pam-MySQL 1.0.0 built error for MySQL 8 HOT 8
- pam_MySQL is only querying the database if the username has a login account. HOT 1
- size read failed - SASLAUTHD with PAM_MYSQL Fedora 37
- Skip first pass in sasl-pam-mysql authentication HOT 1
- Centos 7: Unknown method "substring" for a string HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam-mysql.