[pgpool-general: 6735] PAM authentication error

Rafael Rios Saavedra rafael.rios.saavedra at gmail.com
Wed Oct 16 23:51:47 JST 2019 

Hi
 I am trying to setup pgpool with LDAP authentication, but when I try to
login I with an user I got this message:
 # PGPASSWORD=admin psql -U admin -h localhost
psql: ERROR:  failed to authenticate with backend using md5
DETAIL:  valid password not found

In the LDAP server I can see the request from pgpool and none is returned
with an error.

If I use a wrong password, I got the the following error, which is right:
 # PGPASSWORD=adm psql -U admin -h localhost
psql: FATAL:  failed authentication against PAM
DETAIL:  pam_authenticate failed: Authentication failure

I have added the user to the pool_passwd file, and then it works. It seems,
that even when PAM authenticate the user pgpool still tries to re-validate
the password against the pool_passwd file.

Am I missing something ? Do I need to set any other parameter ?
If this is not the right place to post this questions, please point me to
right place.

Thanks forehand.

----8<-------------------
Logs messages:

The pgpool log is:
2019-10-16 14:29:37: pid 336: WARNING:  unable to get password, password
file descriptor is NULL
2019-10-16 14:29:37: pid 336: ERROR:  failed to authenticate with backend
using md5
2019-10-16 14:29:37: pid 336: DETAIL:  valid password not found

The ldap log is:
5da7261e conn=1020 op=7 SRCH base="dc=example,dc=org" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=admin))"
5da7261e conn=1020 op=7 SRCH attr=uid uidNumber
5da7261e conn=1020 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
5da7261e conn=1022 fd=22 ACCEPT from IP=172.28.0.6:51814 (IP=0.0.0.0:389)
5da7261e conn=1022 op=0 BIND dn="cn=admin,dc=example,dc=org" method=128
5da7261e conn=1022 op=0 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE
ssf=0
5da7261e conn=1022 op=0 RESULT tag=97 err=0 text=
5da7261e conn=1022 op=1 SRCH base="cn=admin,dc=example,dc=org" scope=0
deref=0 filter="(objectClass=*)"
5da7261e conn=1022 op=1 SRCH attr=dn
5da7261e conn=1022 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
5da7261e conn=1022 op=2 ABANDON msg=2
5da7261e conn=1022 op=3 UNBIND
5da7261e conn=1022 fd=22 closed
5da7261e conn=1020 op=8 SRCH base="dc=example,dc=org" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=admin))"
5da7261e conn=1020 op=8 SRCH attr=shadowExpire shadowInactive shadowFlag
shadowWarning shadowLastChange uid shadowMin shadowMax
5da7261e conn=1020 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
5da7261e conn=1020 op=9 ABANDON msg=9
5da7261e conn=1020 op=10 SRCH base="dc=example,dc=org" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=admin))"
5da7261e conn=1020 op=10 SRCH attr=uid uidNumber
5da7261e conn=1020 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
5da7261e conn=1020 op=11 SRCH base="dc=example,dc=org" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=admin))"
5da7261e conn=1020 op=11 SRCH attr=shadowExpire shadowInactive shadowFlag
shadowWarning shadowLastChange uid shadowMin shadowMax
5da7261e conn=1020 op=11 SEARCH RESULT tag=101 err=0 nentries=1 text=
5da7261e conn=1020 op=12 ABANDON msg=12

The nslcd log is:
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [e87ccd] DEBUG: connection from pid=336 uid=888 gid=888
nslcd: [e87ccd] <authc="admin"> DEBUG:
nslcd_pam_authc("admin","mysqld","***")
nslcd: [e87ccd] <authc="admin"> DEBUG:
myldap_search(base="dc=example,dc=org",
filter="(&(objectClass=posixAccount)(uid=admin))")
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_initialize(ldap://ldap)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap")
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
cn=admin,dc=example,dc=org
nslcd: [e87ccd] <authc="admin"> DEBUG:
myldap_search(base="cn=admin,dc=example,dc=org", filter="(objectClass=*)")
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_initialize(ldap://ldap)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_rebind_proc()
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e87ccd] <authc="admin"> DEBUG:
ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap")
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
cn=admin,dc=example,dc=org
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_unbind()
nslcd: [e87ccd] <authc="admin"> DEBUG: bind successful
nslcd: [e87ccd] <authc="admin"> DEBUG:
myldap_search(base="dc=example,dc=org",
filter="(&(objectClass=shadowAccount)(uid=admin))")
nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
cn=admin,dc=example,dc=org
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [1b58ba] DEBUG: connection from pid=336 uid=888 gid=888
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [1b58ba] <authz="admin"> DEBUG:
nslcd_pam_authz("admin","mysqld","","","")
nslcd: [1b58ba] <authz="admin"> DEBUG:
myldap_search(base="dc=example,dc=org",
filter="(&(objectClass=posixAccount)(uid=admin))")
nslcd: [1b58ba] <authz="admin"> DEBUG: ldap_result():
cn=admin,dc=example,dc=org
nslcd: [1b58ba] <authz="admin"> DEBUG:
myldap_search(base="dc=example,dc=org",
filter="(&(objectClass=shadowAccount)(uid=admin))")
nslcd: [1b58ba] <authz="admin"> DEBUG: ldap_result():
cn=admin,dc=example,dc=org


Configuration files are:
pg_hba.conf:
 local    all             all                            trust
 host     all             replication_user   all         trust
 host     all             all                all         pam
pamservice=postgresql

pgpool.conf:
...
 # - Authentication -
enable_pool_hba = on
pool_passwd = ''
#pool_passwd = 'pool_passwd'
...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20191016/dc72c481/attachment.htm>

More information about the pgpool-general mailing list