Re: anyone knows about pam_pgsql ?

trying for days now to get documentation about this tool that would
allow me to authenticate users for different services via a
postgres-database on my linuxsystem.

I obtained two versions: 0.03 which I cant even compile and 0.9.3
which I can compile but there is not a single byte docs coming with
it, so I tried based on two postings from googles and failed ...

#%PAM-1.0

auth sufficient /usr/local/lib/pam_pgsql.so user=peter passwd=xxxx host=limpio.local db=auth table=users usercolumn=username passwdcolumn=userpass crypt=1 where=status=1

the failmessage was (definitely OT here ...)
Nov 20 12:59:54 lupo imapd[14134]: accepted connection
Nov 20 12:59:58 lupo imapd[14134]: PAM unable to dlopen(/usr/local/lib/pam_pgsql.so)
Nov 20 12:59:58 lupo imapd[14134]: PAM [dlerror: /usr/local/lib/pam_pgsql.so: undefined symbol: sqlca]
Nov 20 12:59:58 lupo imapd[14134]: PAM adding faulty module: /usr/local/lib/pam_pgsql.so
Nov 20 13:00:01 lupo master[26807]: process 14134 exited, status 0

thnx,
peter

--
mag. peter pilsl

phone: +43 676 3574035
fax : +43 676 3546512
email: pilsl(at)goldfisch(dot)at
sms : pilsl(at)max(dot)mail(dot)at

pgp-key available

Hello Peter,

there is another pam-module, which might work. You can find it in
http://sourceforge.net/projects/sysauth-pgsql. I'm not sure how good
this work. I tried nss-pgsql version 0.9.0 from the same author and run
into massive problems. Maybe version 1.0.0 is better. I didn't try it.
My solution was to create my own version of nss-pgsql. If you need it,
you can find it on my homepage http://www.maekitalo.de.

Tommi

Peter Pilsl wrote:

>trying for days now to get documentation about this tool that would
>allow me to authenticate users for different services via a
>postgres-database on my linuxsystem.
>
>I obtained two versions: 0.03 which I cant even compile and 0.9.3
>which I can compile but there is not a single byte docs coming with
>it, so I tried based on two postings from googles and failed ...
>
>#%PAM-1.0
>
>auth sufficient /usr/local/lib/pam_pgsql.so user=peter passwd=xxxx host=limpio.local db=auth table=users usercolumn=username passwdcolumn=userpass crypt=1 where=status=1
>
>
>the failmessage was (definitely OT here ...)
>Nov 20 12:59:54 lupo imapd[14134]: accepted connection
>Nov 20 12:59:58 lupo imapd[14134]: PAM unable to dlopen(/usr/local/lib/pam_pgsql.so)
>Nov 20 12:59:58 lupo imapd[14134]: PAM [dlerror: /usr/local/lib/pam_pgsql.so: undefined symbol: sqlca]
>Nov 20 12:59:58 lupo imapd[14134]: PAM adding faulty module: /usr/local/lib/pam_pgsql.so
>Nov 20 13:00:01 lupo master[26807]: process 14134 exited, status 0
>
>thnx,
>peter
>

thnx a lot for your reply. I would like to give the nss a try, but I
dont have the slightest idea how to use it (in case I managed to
compile).

I just know how to use pam by adding a appropriate login-file to /etc/pam.d/ that contains things like:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so

how would look this enty in case I'm using one of the nss-pgsql-tools ?

sorry, but I'm really 100% newbie on nss.

thnx,
peter

On Tue, Nov 20, 2001 at 04:00:41PM +0100, Tommi Mäkitalo wrote:
> Hello Peter,
>
> there is another pam-module, which might work. You can find it in
> http://sourceforge.net/projects/sysauth-pgsql. I'm not sure how good
> this work. I tried nss-pgsql version 0.9.0 from the same author and run
> into massive problems. Maybe version 1.0.0 is better. I didn't try it.
> My solution was to create my own version of nss-pgsql. If you need it,
> you can find it on my homepage http://www.maekitalo.de.
>
> Tommi
>
>
>
> Peter Pilsl wrote:
>
> >trying for days now to get documentation about this tool that would
> >allow me to authenticate users for different services via a
> >postgres-database on my linuxsystem.
> >
> >I obtained two versions: 0.03 which I cant even compile and 0.9.3
> >which I can compile but there is not a single byte docs coming with
> >it, so I tried based on two postings from googles and failed ...
> >
> >#%PAM-1.0
> >
> >auth sufficient /usr/local/lib/pam_pgsql.so user=peter passwd=xxxx host=limpio.local db=auth table=users usercolumn=username passwdcolumn=userpass crypt=1 where=status=1
> >
> >
> >the failmessage was (definitely OT here ...)
> >Nov 20 12:59:54 lupo imapd[14134]: accepted connection
> >Nov 20 12:59:58 lupo imapd[14134]: PAM unable to dlopen(/usr/local/lib/pam_pgsql.so)
> >Nov 20 12:59:58 lupo imapd[14134]: PAM [dlerror: /usr/local/lib/pam_pgsql.so: undefined symbol: sqlca]
> >Nov 20 12:59:58 lupo imapd[14134]: PAM adding faulty module: /usr/local/lib/pam_pgsql.so
> >Nov 20 13:00:01 lupo master[26807]: process 14134 exited, status 0
> >
> >thnx,
> >peter
> >
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>

--
mag. peter pilsl

phone: +43 676 3574035
fax : +43 676 3546512
email: pilsl(at)goldfisch(dot)at
sms : pilsl(at)max(dot)mail(dot)at

pgp-key available

Hello Peter,

nss and pam are different things. Pam is almost unusable without a
suitable nss-module. Nss make a user to exist in your system. Pam
checkes (among other things), if he is allowed to use a service. If you
use pam_pgsql without libnss-pgsql you have to add every user to your
/etc/passwd. But you don't need to give them passwords. That's what pam
does.

I checked my version of libnss-pgsql. I get a compile-error in
backend.c. The include-path of postgresql is errorenous. I checked that
and updated to 0.9.0tm3. The version libnss-pgsql-1.00 has the same bug.

There instructions to install the module is almost not there. You should
do this:
- download
- tar xvzf libnss-pgsql-0.9.0tm3.tar.gz
- cd libnss-pgsql-0.9.0tm3
- ./configure
- make
- make install (as root)
- set up your database (you can find a example schema in crebas.sql)
- edit nss-pgsql.conf and copy to /etc/nss-pgsql.conf
- edit /etc/nsswitch.conf to use pgsql (change 'passwd: compat' to
'passwd: files pgsql' and 'group: compat' to 'group: files pgsql'

It should work now. You can try it out with 'chown pguser ttt'. The file
ttt need not exist. 'chown' should complain about it. If you libnss does
not work it complains about not existing user 'pguser'.

Tommi

Peter Pilsl wrote:

>thnx a lot for your reply. I would like to give the nss a try, but I
>dont have the slightest idea how to use it (in case I managed to
>compile).
>
>I just know how to use pam by adding a appropriate login-file to /etc/pam.d/ that contains things like:
>auth required /lib/security/pam_securetty.so
>auth required /lib/security/pam_stack.so service=system-auth
>auth required /lib/security/pam_nologin.so
>account required /lib/security/pam_stack.so service=system-auth
>password required /lib/security/pam_stack.so service=system-auth
>session required /lib/security/pam_stack.so service=system-auth
>session optional /lib/security/pam_console.so
>
>how would look this enty in case I'm using one of the nss-pgsql-tools ?
>
>sorry, but I'm really 100% newbie on nss.
>
>thnx,
>peter
>
>>
...

For everyone who is using postgres for NSS, please email me and let me
know what package you are using and where you got it. I would like to
update my HOW-TO at http://blue-labs.org/clue/NSS-pgsql.php.

Thank you,
David

Tommi Mäkitalo wrote:

>
> ------------------------------------------------------------------------
>
> Subject:
>
> Re: [GENERAL] anyone knows about pam_pgsql ?
> From:
>
> Tommi Mäkitalo <t(dot)maekitalo(at)epgmbh(dot)de>
> Date:
>
> Mon, 26 Nov 2001 11:04:21 +0100
> To:
>
> Peter Pilsl <pilsl(at)goldfisch(dot)at>
>
> To:
>
> Peter Pilsl <pilsl(at)goldfisch(dot)at>
> CC:
>
> postgres mailinglist <pgsql-general(at)postgresql(dot)org>
>
>
> Hello Peter,
>
> nss and pam are different things. Pam is almost unusable without a
> suitable nss-module. Nss make a user to exist in your system. Pam
> checkes (among other things), if he is allowed to use a service. If
> you use pam_pgsql without libnss-pgsql you have to add every user to
> your /etc/passwd. But you don't need to give them passwords. That's
> what pam does.
>
> I checked my version of libnss-pgsql. I get a compile-error in
> backend.c. The include-path of postgresql is errorenous. I checked
> that and updated to 0.9.0tm3. The version libnss-pgsql-1.00 has the
> same bug.
>
> There instructions to install the module is almost not there. You
> should do this:
> - download
> - tar xvzf libnss-pgsql-0.9.0tm3.tar.gz
> - cd libnss-pgsql-0.9.0tm3
> - ./configure
> - make
> - make install (as root)
> - set up your database (you can find a example schema in crebas.sql)
> - edit nss-pgsql.conf and copy to /etc/nss-pgsql.conf
> - edit /etc/nsswitch.conf to use pgsql (change 'passwd: compat' to
> 'passwd: files pgsql' and 'group: compat' to 'group: files pgsql'
>
> It should work now. You can try it out with 'chown pguser ttt'. The
> file ttt need not exist. 'chown' should complain about it. If you
> libnss does not work it complains about not existing user 'pguser'.
>
>
> Tommi
>
>
> Peter Pilsl wrote:
>
>> thnx a lot for your reply. I would like to give the nss a try, but I
>> dont have the slightest idea how to use it (in case I managed to
>> compile).
>>
>> I just know how to use pam by adding a appropriate login-file to
>> /etc/pam.d/ that contains things like:
>> auth required /lib/security/pam_securetty.so
>> auth required /lib/security/pam_stack.so service=system-auth
>> auth required /lib/security/pam_nologin.so
>> account required /lib/security/pam_stack.so service=system-auth
>> password required /lib/security/pam_stack.so service=system-auth
>> session required /lib/security/pam_stack.so service=system-auth
>> session optional /lib/security/pam_console.so
>>
>> how would look this enty in case I'm using one of the nss-pgsql-tools ?
>>
>> sorry, but I'm really 100% newbie on nss.
>> thnx,
>> peter
>>
>>>
> ...
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly

Here is the corresponding entry from my internal knowledge-base: it
includes many information that was valueable for me and also
information about different versions I tried and where I downloaded
them ...
It also includes much thanx to Tommi - I never would have made it
without it (if you include parts of my info, please include this
thanks)

I didnt even know about your howto - if your update it, pleae be sure
to mail me and maybe Tommi and the other project can set a link to
your page.

best,
peter

----------

Finally I made userauthentication via a postgresdatabase working. I
could not get a pam-module working, but a libnss-module.
While I dont know much about this, imho libnss is still a level
deeper than pam. So a application can auth via pam and pam is then
using nss.

A typical pam-entry would look like:
account required /lib/security/pam_unix.so

and this pam_unix will then use configs defined in nsswitch.conf (see
below) at the moment I got it working with samba and cyrus imapd
(details see below or seperate entries)

but now to work:

This all is happening under Mandrake 8.x. The final installation
occured on a brand new Mandrake8.1-installation, but I had the same
problems with several Mandrake8.0-Machines.

I) download the libnss-pgsql-source.
There are different version out there:

Tommi Mkitalo, who helped me very much with this stuff has versions
under http://www.maekitalo.de, that were segfaulting here (maybe due a
wrong configured postgres-server). His version seems to be based on
version 0.9 of the official sourceforge-sysauth-pgsql-project that can
be found under http://sourceforge.net/projects/sysauth-pgsql There I
downloaded version libnss-pgsql-1.0.0. All the following applies to
this version, but when trying to compile I encountered the same
problems on both version. The 1.0.0 has a bit more features. It gives
errors when the database is misconfigured and the groups-command is
working .. but basically they seem to do exactely the same.

II) prerequisites:

I dont know which of the following steps are really necessary to
compile the libnss_pgsql-module, cause first I tried pam_pgsql and few
of these steps were needed to compile pam_pgsql ..

I had a full working postgres-installation installed (compiled
manually, so it contains all the headers and so on). Unfortunately I
had some problems with the libs. Even when I added the
postgres-lib-path to /etc/ld.so.config by adding a line
'/usr/local/pgsql/lib' and running ldconfig the libs were not linked
proper. So I copied the libs from /usr/local/pgsql/lib to
/usr/local/lib and it worked. Also there were problems of missing
header-files when compiling libss_pgsql. To avoid this, I copied all
postgres-headers to the libnss-src (not overwrite config.h !!) and
additionally edit the file src/backend.c and changed the line #include
<postgresql/libpq-fe.h> to #include <libpq-fe.h>

My pam was installed per rpm on install and I had to install the package pam-devel.rpm to get the needed pam-headerfiles.

* get, compile, install full postgres 7.1.3
* cp -d /usr/local/pgsql/lib/* /usr/local/lib/*
* cp /usr/local/pgsql/include/*.h /usr/src/libnss_pgsql-1.0.0/src/
# !! dont overwrite config.h !!!
* vi src/backend.c # change the #include <postgresql/libpq-fe.h> -line
* install pam-devel.rpm

III) compile

./configure --with-gnu-ld

I didnt specify the target-directories in this step, so I had to deal
with wrong dirs later .. Maybe using the --prefix=/ option would have
been a fine idea ..

make

Nothing bad should happen here anymore, but you should see the -lpq
switch on the commandlines running by. Now you can test, if the file
was compiled proper:

# ld src/.libs/libnss_pgsql.so
ld: warning: cannot find entry symbol _start; not setting start address

There should be no more warning/error than this (not PQxxx missing or
whatever)

make install

IV) postrequisites

Guess you wont need that if you use the correct prefix-option above.

* cp -d /usr/local/lib/libnss_pgsql* /lib/
* touch /etc/nss-pgsql.conf; ln -s /etc/nss-pgsql.conf /usr/local/etc/nss-pgsql.conf

V) config

I followed the instructions in the conf/-subfolder. There is a very
nice demo-database that I modified a bit (removed the subnet and
modem-entry and added my own addons). There are three tables:

* groups will hold the groups
* accounts will hold der user
* usergroups will relate the two other tables. You can add user-group-relations here. Just add the UID/GID - combination here for each group

-----------

--
mag. peter pilsl

phone: +43 676 3574035
fax : +43 676 3546512
email: pilsl(at)goldfisch(dot)at
sms : pilsl(at)max(dot)mail(dot)at

pgp-key available