[pgpool-general: 6754] Re: PAM authentication error

Takuma Hoshiai hoshiai at sraoss.co.jp
Mon Oct 28 14:14:11 JST 2019 

Hi,

On Wed, 16 Oct 2019 16:51:47 +0200
Rafael Rios Saavedra <rafael.rios.saavedra at gmail.com> wrote:

> Hi
>  I am trying to setup pgpool with LDAP authentication, but when I try to
> login I with an user I got this message:
>  # PGPASSWORD=admin psql -U admin -h localhost
> psql: ERROR:  failed to authenticate with backend using md5
> DETAIL:  valid password not found
> 
> In the LDAP server I can see the request from pgpool and none is returned
> with an error.
> 
> If I use a wrong password, I got the the following error, which is right:
>  # PGPASSWORD=adm psql -U admin -h localhost
> psql: FATAL:  failed authentication against PAM
> DETAIL:  pam_authenticate failed: Authentication failure
> 
> I have added the user to the pool_passwd file, and then it works. It seems,
> that even when PAM authenticate the user pgpool still tries to re-validate
> the password against the pool_passwd file.
> 
> Am I missing something ? Do I need to set any other parameter ?
> If this is not the right place to post this questions, please point me to
> right place.

I think that this problem is authentication between pgpool and postgresql,
not PAM authentication(between client and pgpool). So, please share your pg_hba.conf and pool_hba.conf.

And what pgpool's version do you use?

> Thanks forehand.
> 
> ----8<-------------------
> Logs messages:
> 
> The pgpool log is:
> 2019-10-16 14:29:37: pid 336: WARNING:  unable to get password, password
> file descriptor is NULL
> 2019-10-16 14:29:37: pid 336: ERROR:  failed to authenticate with backend
> using md5
> 2019-10-16 14:29:37: pid 336: DETAIL:  valid password not found
> 
> The ldap log is:
> 5da7261e conn=1020 op=7 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=admin))"
> 5da7261e conn=1020 op=7 SRCH attr=uid uidNumber
> 5da7261e conn=1020 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1022 fd=22 ACCEPT from IP=172.28.0.6:51814 (IP=0.0.0.0:389)
> 5da7261e conn=1022 op=0 BIND dn="cn=admin,dc=example,dc=org" method=128
> 5da7261e conn=1022 op=0 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE
> ssf=0
> 5da7261e conn=1022 op=0 RESULT tag=97 err=0 text=
> 5da7261e conn=1022 op=1 SRCH base="cn=admin,dc=example,dc=org" scope=0
> deref=0 filter="(objectClass=*)"
> 5da7261e conn=1022 op=1 SRCH attr=dn
> 5da7261e conn=1022 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1022 op=2 ABANDON msg=2
> 5da7261e conn=1022 op=3 UNBIND
> 5da7261e conn=1022 fd=22 closed
> 5da7261e conn=1020 op=8 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=shadowAccount)(uid=admin))"
> 5da7261e conn=1020 op=8 SRCH attr=shadowExpire shadowInactive shadowFlag
> shadowWarning shadowLastChange uid shadowMin shadowMax
> 5da7261e conn=1020 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1020 op=9 ABANDON msg=9
> 5da7261e conn=1020 op=10 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=admin))"
> 5da7261e conn=1020 op=10 SRCH attr=uid uidNumber
> 5da7261e conn=1020 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1020 op=11 SRCH base="dc=example,dc=org" scope=2 deref=0
> filter="(&(objectClass=shadowAccount)(uid=admin))"
> 5da7261e conn=1020 op=11 SRCH attr=shadowExpire shadowInactive shadowFlag
> shadowWarning shadowLastChange uid shadowMin shadowMax
> 5da7261e conn=1020 op=11 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 5da7261e conn=1020 op=12 ABANDON msg=12
> 
> The nslcd log is:
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [e87ccd] DEBUG: connection from pid=336 uid=888 gid=888
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> nslcd_pam_authc("admin","mysqld","***")
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=posixAccount)(uid=admin))")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_initialize(ldap://ldap)
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> myldap_search(base="cn=admin,dc=example,dc=org", filter="(objectClass=*)")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_initialize(ldap://ldap)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_rebind_proc()
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_unbind()
> nslcd: [e87ccd] <authc="admin"> DEBUG: bind successful
> nslcd: [e87ccd] <authc="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=shadowAccount)(uid=admin))")
> nslcd: [e87ccd] <authc="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [1b58ba] DEBUG: connection from pid=336 uid=888 gid=888
> nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
> nslcd: [1b58ba] <authz="admin"> DEBUG:
> nslcd_pam_authz("admin","mysqld","","","")
> nslcd: [1b58ba] <authz="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=posixAccount)(uid=admin))")
> nslcd: [1b58ba] <authz="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> nslcd: [1b58ba] <authz="admin"> DEBUG:
> myldap_search(base="dc=example,dc=org",
> filter="(&(objectClass=shadowAccount)(uid=admin))")
> nslcd: [1b58ba] <authz="admin"> DEBUG: ldap_result():
> cn=admin,dc=example,dc=org
> 
> 
> Configuration files are:
> pg_hba.conf:
>  local    all             all                            trust
>  host     all             replication_user   all         trust
>  host     all             all                all         pam
> pamservice=postgresql

Do you mistake pool_hba.conf for pg_hba.conf?


> pgpool.conf:
> ...
>  # - Authentication -
> enable_pool_hba = on
> pool_passwd = ''
> #pool_passwd = 'pool_passwd'
> ...

Best Regards,

-- 
Takuma Hoshiai <hoshiai at sraoss.co.jp>

More information about the pgpool-general mailing list