How to use PAM for auth

Dominic_Lepiane · July 2, 2006, 12:02am

Hi,

I have been trying to get Wildfire (3.0.0) to use PAM for auth. I have been flailing around trying to figure out how this is done. So far, I have downloaded this “shaj” package and copied the shaj-0.5.jar and libshaj.so to wildfire/lib and added the following section to my wildfire.xml:

The error I get logging in to the admin interface is:

Login failed: make sure your username and password are correct and that you’'re an admin or moderator.

And from connecting with my XMPP client (kopete v0.10.4)

The password was wrong; please re-enter your password for Jabber account archangel@dl.nibble.bz

My error.log shows:

wildfire/logs/error.log:2006.07.01 16:31:43 org.jivesoftware.wildfire.auth.NativeAuthProvider$1.error(NativeAuthProvider.jav a:98) Could not dlopen libpam.so with RTLD_NOW|RTLD_GLOBAL: libpam.so: cannot open shared object file: No such file or directory

I tried to copy the system libpam into wildfire/lib but that didn’'t seem to help at all. Can someone please point me to where I can get enough info to get wildfire authenticating against PAM?

Thanks in advance!

System info:

wildfire 3.0.0 (from tar.gz)

Linux siona.dl.nibble.bz 2.6.15-1-k7 #2 Mon Mar 6 15:42:39 UTC 2006 i686 GNU/Linux

Debian Sarge (unstable)

java version “1.5.0_07”

Java™ 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03)

Java HotSpot™ Client VM (build 1.5.0_07-b03, mixed mode, sharing)

Shaj 0.5

Dominic_Lepiane · July 2, 2006, 12:27am

Okay, so I did

ln -s /lib/libpam.so.0 /lib/libpam.so

ldconfig

When I logged in to the admin interface, it seemed to work!

2006.07.01 17:21:47 pam_start (“wildfire”, “archangel”, …) ==> 0 (Success)

2006.07.01 17:21:47 PAM ECHO_OFF("(masked)") ==> password

2006.07.01 17:21:47 pam_authenticate (…) ==> 0 (Success)

2006.07.01 17:21:47 pam_setcred (…) ==> 0 (Success)

2006.07.01 17:21:47 pam_end (…) ==> 0 (Success)

2006.07.01 17:21:47 Automatically creating new user account for archangel

2006.07.01 17:22:23 pam_start (“wildfire”, “archangel”, …) ==> 0 (Success)

2006.07.01 17:22:23 PAM ECHO_OFF("(masked)") ==> password

2006.07.01 17:22:23 pam_authenticate (…) ==> 0 (Success)

2006.07.01 17:22:23 pam_setcred (…) ==> 0 (Success)

2006.07.01 17:22:23 pam_end (…) ==> 0 (Success)

However, when I tried to connect with a client (kopete still), it fails with the error from kopete given then the debug.log info:

The password was wrong; please re-enter your password for Jabber account archangel@dl.nibble.bz

2006.07.01 17:22:35 SSL Connect 1c87093[SSL_NULL_WITH_NULL_NULL: Socket[addr=/192.168.1.16,port=36135,localport=5223]]

2006.07.01 17:22:36 pam_start (“wildfire”, “archangel”, …) ==> 0 (Success)

2006.07.01 17:22:36 PAM ECHO_OFF("(masked)") ==> password

2006.07.01 17:22:37 pam_authenticate (…) ==> 9 (Authentication service cannot retrieve authentication info.)

2006.07.01 17:22:37 pam_end (…) ==> 0 (Success)

2006.07.01 17:22:38 Logging off dl.nibble.bz/a31dffc2 on org.jivesoftware.wildfire.net.SocketConnection@4b11e9 socket: 1c87093[SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: Socket[addr=/192.168.1.16,port=36135,localport=5223]] session: org.jivesoftware.wildfire.ClientSession@54824 status: 1 address: dl.nibble.bz/a31dffc2 id: a31dffc2 presence:

Argh! Seems so close now! Why does it work from the admin interface, but not the xmpp client?

Jay · July 2, 2006, 3:52pm

Did you client send something other than the password itself? If it uses any sort of hash (DIGEST, etc) pam will get confused and fail. Also, are you sure you are entering the right password? Its always worth double checking.

Dominic_Lepiane · July 3, 2006, 12:14am

Actually, I think it was a client problem. It started crashing and acting totally flaky so then I tried kopete on a different computer and it connected. I wiped all the kopete settings and now it seems to work here.

So I guess it works. It looks like I just got screwed by a broken client

Given that I’'m probably going to be installing this for several sites, I just want to clarify a couple questions:

Do I need both shaj.jar and libshaj.so?

Why does Wildfire look for libpam.so instead of the regular libpam.so.0 ? Or is that Shaj which does that anyhow?

Jay · July 3, 2006, 1:07pm

Not ever having used it I can only make a few guesses:

Yes, both shaj.jar and libshaj.so are needed. The jar file is the java code which needs to call a native library, the .so file in this case.

As far as your issue with needing libpam.so Im not sure. Sounds like something is a bit screwy. You should be able to leave libpam.so.0 in /lib and the standard linker would find it (Other pam apps work, right?)

You can check to see if libshaj.so has the right symbols using ldd. Here is what I get:

$ ldd libshaj.so

libpam.so.0 => /lib/libpam.so.0 (0xa7eea000)

libdl.so.2 => /lib/tls/libdl.so.2 (0xa7ee6000)

libc.so.6 => /lib/tls/libc.so.6 (0xa7db1000)

/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x75555000)

/code

If you dont get that, I suspect either your ld setup is messed up (check /etc/ld.so.conf and LD_LIBRARY_PATH env. var.) or your version of libshaj.so is messed up (re-download or re-compile)

Dominic_Lepiane · July 4, 2006, 10:43pm

I get basically the same thing:

% ldd wildfire/lib/libshaj.so

linux-gate.so.1 => (0xffffe000)

libpam.so.0 => /lib/libpam.so.0 (0xb7f5f000)

libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f5b000)

libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e23000)

/lib/ld-linux.so.2 (0x80000000)

However, if I remove the libpam.so link, then authentication fails. I’'ve downloaded a fresh copy of Shaj and no change so I assume then this is a bug with Shaj.

Gordon_Messmer · July 26, 2006, 4:26pm

How did you get wildfire to use “wildfire” as its service name? On my system it initializes “pam_start” with “other” as the service name.