[pgpool-general: 6754] Re: PAM authentication error
Takuma Hoshiai
hoshiai at sraoss.co.jp
Mon Oct 28 14:14:11 JST 2019
Hi,
On Wed, 16 Oct 2019 16:51:47 +0200
Rafael Rios Saavedra <rafael.rios.saavedra at gmail.com> wrote:
> Hi
> I am trying to setup pgpool with LDAP authentication, but when I try to
> login I with an user I got this message:
> # PGPASSWORD=admin psql -U admin -h localhost
> psql: ERROR: failed to authenticate with backend using md5
> DETAIL: valid password not found
>
> In the LDAP server I can see the request from pgpool and none is returned
> with an error.
>
> If I use a wrong password, I got the the following error, which is right:
> # PGPASSWORD=adm psql -U admin -h localhost
> psql: FATAL: failed authentication against PAM
> DETAIL: pam_authenticate failed: Authentication failure
>
> I have added the user to the pool_passwd file, and then it works. It seems,
> that even when PAM authenticate the user pgpool still tries to re-validate
> the password against the pool_passwd file.
>
> Am I missing something ? Do I need to set any other parameter ?
> If this is not the right place to post this questions, please point me to
> right place.
I think that this problem is authentication between pgpool and postgresql,
not PAM authentication(between client and pgpool). So, please share your pg_hba.conf and pool_hba.conf.
And what pgpool's version do you use?
> Thanks forehand.
>
> ----8<-------------------
> Logs messages:
>
> The pgpool log is:
> 2019-10-16 14:29:37: pid 336: WARNING: unable to get password, password
> file descriptor is NULL
> 2019-10-16 14:29:37: pid 336: ERROR: failed to authenticate with backend
> using md5
> 2019-10-16 14:29:37: pid 336: DETAIL: valid password not found
>
> The ldap log is:
> 5da7261e conn=1020 op=7 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=admin))"
> 5da7261e conn=1020 op=7 SRCH attr=uid uidNumber
> 5da7261e conn=1020 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1022 fd=22 ACCEPT from IP=172.28.0.6:51814 (IP=0.0.0.0:389)
> 5da7261e conn=1022 op=0 BIND dn="cn=admin,dc=example,dc=org" method=128
> 5da7261e conn=1022 op=0 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE
> ssf=0
> 5da7261e conn=1022 op=0 RESULT tag=97 err=0 text=
> 5da7261e conn=1022 op=1 SRCH base="cn=admin,dc=example,dc=org" scope=0
> deref=0 filter="(objectClass=*)"
> 5da7261e conn=1022 op=1 SRCH attr=dn
> 5da7261e conn=1022 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1022 op=2 ABANDON msg=2
> 5da7261e conn=1022 op=3 UNBIND
> 5da7261e conn=1022 fd=22 closed
> 5da7261e conn=1020 op=8 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=shadowAccount)(uid=admin))"
> 5da7261e conn=1020 op=8 SRCH attr=shadowExpire shadowInactive shadowFlag
> shadowWarning shadowLastChange uid shadowMin shadowMax
> 5da7261e conn=1020 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1020 op=9 ABANDON msg=9
> 5da7261e conn=1020 op=10 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=admin))"
> 5da7261e conn=1020 op=10 SRCH attr=uid uidNumber
> 5da7261e conn=1020 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1020 op=11 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=shadowAccount)(uid=admin))"
> 5da7261e conn=1020 op=11 SRCH attr=shadowExpire shadowInactive shadowFlag
> shadowWarning shadowLastChange uid shadowMin shadowMax
> 5da7261e conn=1020 op=11 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1020 op=12 ABANDON msg=12
>
> The nslcd log is:
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [e87ccd] DEBUG: connection from pid=336 uid=888 gid=888
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> nslcd_pam_authc("admin","mysqld","***")
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=posixAccount)(uid=admin))")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_initialize(ldap://ldap)
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> myldap_search(base="cn=admin,dc=example,dc=org", filter="(objectClass=*)")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_initialize(ldap://ldap)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_unbind()
> nslcd: [e87ccd] <authc="admin"> DEBUG: bind successful
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=shadowAccount)(uid=admin))")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [1b58ba] DEBUG: connection from pid=336 uid=888 gid=888
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [1b58ba] <authz="admin"> DEBUG:
> nslcd_pam_authz("admin","mysqld","","","")
> nslcd: [1b58ba] <authz="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=posixAccount)(uid=admin))")
> nslcd: [1b58ba] <authz="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: [1b58ba] <authz="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=shadowAccount)(uid=admin))")
> nslcd: [1b58ba] <authz="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
>
>
> Configuration files are:
> pg_hba.conf:
> local all all trust
> host all replication_user all trust
> host all all all pam
> pamservice=postgresql
Do you mistake pool_hba.conf for pg_hba.conf?
> pgpool.conf:
> ...
> # - Authentication -
> enable_pool_hba = on
> pool_passwd = ''
> #pool_passwd = 'pool_passwd'
> ...
Best Regards,
--
Takuma Hoshiai <hoshiai at sraoss.co.jp>
More information about the pgpool-general
mailing list