Authenticate LDAP with iRODS

[thiag...@gmail.com]

Hello guys,

I'm having trouble authenticating a user via LDAP in iRODS.
My authenticates users already using PamAuthCheck binary

operador@FIBRE-IFBA-ICAT:~/iRODS/server/bin$ ./PamAuthCheck thiago
xxxxxxxx
Authenticated

I enabled the file settings PAM (.. / IRODS / config / config.mk)

PAM_AUTH = 1
ifdef PAM_AUTH
PAM_AUTH_CHECK_PROG = / home / operator / iRODS / server / bin / PamAuthCheck

what is missing so that my user LDAP to authenticate the iRODS?
Settings: iRODS 3.3, Debian 7

I thank you for your attention,

Thiago

[Wayne Schroeder]

Hello,

That all looks fine, assuming the path doesn't have spaces in the actual define (/home/operator/iRODS/server/bin/PamAuthCheck).

If you haven't already, you might read through our PAM_Authentication page:
https://www.irods.org/index.php/PAM_Authentication
and two pages linked from there: 'PAM SSL Setup' and 'PAM/LDAP Authentication/Authorization' for more instructions on the setup.

After that, if you're still having trouble, you might check the server log file for error messages that might provide some clues and let us know what you find.

 - Wayne -

[hclee...@gmail.com]

Hello Wayne, Thiago,

This is Hong.  Recently, I started testing iRODS for our organization in the Netherlands.  For the simplicity, we just installed the RPMs of iRODS 4.0 on a CentOS 6.5 server.  When configuring the PAM authentication with LDAP, we got stuck with an issue that looks to me similar to the original report of this discussion thread.  Therefore, I try to report our issue here and ask for your advice.

After following the iRODS document and tweaking pam_ldap to work with Active Directory, I have managed to make PamAuthCheck work.  For instance, if I just run

===

/var/lib/irods/iRODS/server/bin/PamAuthCheck honlee

===

I got "Authenticated".  Therefore, I suppose the pam_ldap part should be properly configured.

However, if I do 'iinit' from the client using the same user id.  I got the following error:

===

[-] libpam.cpp:246:pam_auth_client_request :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message [call to rcAuthRequest failed.]

 failed with error -993000 PAM_AUTH_PASSWORD_FAILED 

===

In the server log, I see the error

===

Jun  2 10:16:43 pid:17637 NOTICE: Agent process 26930 started for puser=honlee and cuser=honlee from xx.xx.xx.xx

Not Authenticated

Jun  2 10:16:47 pid:26930 ERROR:

[-]     iRODS/server/api/src/rsAuthPluginRequest.cpp:91:rsAuthPluginRequest :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message []

        [-]     libpam.cpp:419:pam_auth_agent_request :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message [pam auth check failed]

Jun  2 10:16:47 pid:26930 ERROR:

[-]     iRODS/server/core/src/rsApiHandler.cpp:483:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []

        [-]     iRODS/lib/core/src/sockComm.cpp:196:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']

                [-]     libtcp.cpp:240:tcp_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [read 0 expected 4]

====

By requiring "pam_warn.so" in /etc/pam.d/irods, I can get the following message in /var/log/secure (exactly the same for both "PamAuthCheck" and "iinit")

===

Jun  2 10:52:23 pl-squid PamAuthCheck: pam_warn(irods:auth): function=[pam_sm_authenticate] service=[irods] terminal=[<unknown>] user=[honlee] ruser=[<unknown>] rhost=[<unknown>]

===

Thanks in advance for any good suggestions!

Hong

Wayne Schroeder於 2014年1月2日星期四UTC+1下午6時54分10秒寫道：

[Wayne Schroeder]

Hello Hong,

The PAM_AUTH_PASSWORD_FAILED error indicates that the PamAuthCheck process exited with a error code that means that the authentication failed.  So if things are working right, that would mean that the password is incorrect.  Since you're able to run the PamAuthCheck process by hand OK, that part seems to working fine so you might to verify that the input arguments to runPamAuthCheck are getting there OK.  For that, you might add a sleep and attach the debugger or add some logging information (but I'm not sure which would be easiest in 4.0.x).  Another approach would be to modify the PamAuthCheck program to sleep at the start so you can attach the debugger and then verify the arguments (or you could add logging to it, but then you'd need to remove that promptly as it would be logging passwords).

 - Wayne -

[Hurng-Chun LEE]

Hi Wayne,

Thanks a lot for the hint.  I made a "fake" PamAuthCheck to simply print out the uid/password received from the irods server; and it turns out that a special character ';' at the end of my password is somehow removed.  Does it mean that some special characters cannot be used as part of the password?

My fake PamAuthCheck:

===
#!/bin/bash

echo $* > /tmp/debug.irod 2>&1
read passwd
echo $passwd >> /tmp/debug.irod 2>&1
===

Cheers, Hong

 

Wayne Schroeder於 2014年6月2日星期一UTC+2下午10時41分28秒寫道：

[Wayne Schroeder]

I'm glad you were able to find it!  Interesting.

It's probably something with a shell involved in handling the spawned process that somehow is taking the ';' as a special character.  We may have to look for it and quote it in some of the spawning code.  Since that's a problem, the '|' character may be a problem too.  I'll try to look into it sometime but since this will go into a version post 4.0.1 and is unrelated to DFC (which funds my time) someone in the RENCI group may need check into it too.  But I'm glad you were able to find what it was.  I expect that most special characters will be fine.

 - Wayne -