How to use PAM for auth


I have been trying to get Wildfire (3.0.0) to use PAM for auth. I have been flailing around trying to figure out how this is done. So far, I have downloaded this “shaj” package and copied the shaj-0.5.jar and to wildfire/lib and added the following section to my wildfire.xml:

The error I get logging in to the admin interface is:

Login failed: make sure your username and password are correct and that you’'re an admin or moderator.

And from connecting with my XMPP client (kopete v0.10.4)

The password was wrong; please re-enter your password for Jabber account

My error.log shows:

wildfire/logs/error.log:2006.07.01 16:31:43 org.jivesoftware.wildfire.auth.NativeAuthProvider$1.error(NativeAuthProvider.jav a:98) Could not dlopen with RTLD_NOW|RTLD_GLOBAL: cannot open shared object file: No such file or directory

I tried to copy the system libpam into wildfire/lib but that didn’'t seem to help at all. Can someone please point me to where I can get enough info to get wildfire authenticating against PAM?

Thanks in advance!

System info:

wildfire 3.0.0 (from tar.gz)

Linux 2.6.15-1-k7 #2 Mon Mar 6 15:42:39 UTC 2006 i686 GNU/Linux

Debian Sarge (unstable)

java version “1.5.0_07”

Java™ 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03)

Java HotSpot™ Client VM (build 1.5.0_07-b03, mixed mode, sharing)

Shaj 0.5

Okay, so I did

ln -s /lib/ /lib/


When I logged in to the admin interface, it seemed to work!

2006.07.01 17:21:47 pam_start (“wildfire”, “archangel”, …) ==> 0 (Success)

2006.07.01 17:21:47 PAM ECHO_OFF("(masked)") ==> password

2006.07.01 17:21:47 pam_authenticate (…) ==> 0 (Success)

2006.07.01 17:21:47 pam_setcred (…) ==> 0 (Success)

2006.07.01 17:21:47 pam_end (…) ==> 0 (Success)

2006.07.01 17:21:47 Automatically creating new user account for archangel

2006.07.01 17:22:23 pam_start (“wildfire”, “archangel”, …) ==> 0 (Success)

2006.07.01 17:22:23 PAM ECHO_OFF("(masked)") ==> password

2006.07.01 17:22:23 pam_authenticate (…) ==> 0 (Success)

2006.07.01 17:22:23 pam_setcred (…) ==> 0 (Success)

2006.07.01 17:22:23 pam_end (…) ==> 0 (Success)

However, when I tried to connect with a client (kopete still), it fails with the error from kopete given then the debug.log info:

The password was wrong; please re-enter your password for Jabber account

2006.07.01 17:22:35 SSL Connect 1c87093[SSL_NULL_WITH_NULL_NULL: Socket[addr=/,port=36135,localport=5223]]

2006.07.01 17:22:36 pam_start (“wildfire”, “archangel”, …) ==> 0 (Success)

2006.07.01 17:22:36 PAM ECHO_OFF("(masked)") ==> password

2006.07.01 17:22:37 pam_authenticate (…) ==> 9 (Authentication service cannot retrieve authentication info.)

2006.07.01 17:22:37 pam_end (…) ==> 0 (Success)

2006.07.01 17:22:38 Logging off on socket: 1c87093[SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: Socket[addr=/,port=36135,localport=5223]] session: org.jivesoftware.wildfire.ClientSession@54824 status: 1 address: id: a31dffc2 presence:

Argh! Seems so close now! Why does it work from the admin interface, but not the xmpp client?

Did you client send something other than the password itself? If it uses any sort of hash (DIGEST, etc) pam will get confused and fail. Also, are you sure you are entering the right password? Its always worth double checking.

Actually, I think it was a client problem. It started crashing and acting totally flaky so then I tried kopete on a different computer and it connected. I wiped all the kopete settings and now it seems to work here.

So I guess it works. It looks like I just got screwed by a broken client

Given that I’'m probably going to be installing this for several sites, I just want to clarify a couple questions:

Do I need both shaj.jar and

Why does Wildfire look for instead of the regular ? Or is that Shaj which does that anyhow?

Not ever having used it I can only make a few guesses:

Yes, both shaj.jar and are needed. The jar file is the java code which needs to call a native library, the .so file in this case.

As far as your issue with needing Im not sure. Sounds like something is a bit screwy. You should be able to leave in /lib and the standard linker would find it (Other pam apps work, right?)

You can check to see if has the right symbols using ldd. Here is what I get:

$ ldd => /lib/ (0xa7eea000) => /lib/tls/ (0xa7ee6000) => /lib/tls/ (0xa7db1000)

/lib/ => /lib/ (0x75555000)


If you dont get that, I suspect either your ld setup is messed up (check /etc/ and LD_LIBRARY_PATH env. var.) or your version of is messed up (re-download or re-compile)

I get basically the same thing:

% ldd wildfire/lib/ => (0xffffe000) => /lib/ (0xb7f5f000) => /lib/tls/i686/cmov/ (0xb7f5b000) => /lib/tls/i686/cmov/ (0xb7e23000)

/lib/ (0x80000000)

However, if I remove the link, then authentication fails. I’'ve downloaded a fresh copy of Shaj and no change so I assume then this is a bug with Shaj.

How did you get wildfire to use “wildfire” as its service name? On my system it initializes “pam_start” with “other” as the service name.