Date: Thu, 27 Sep 2001 16:46:10 +0930 From: "Stavros Patiniotis" <sp@esc.net.au> To: <freebsd-questions@freebsd.org> Subject: PAM & mysql authentication Message-ID: <003101c14724$490bf640$3700000a@private.esc.net.au>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello, I am in the process of changing the way that several services on my network authenticate. In particular, I want all services to by authenticated by way of my username and password system that I have implement using a database (mySQL). Basically, this means that POP, SMTP & FTP need to use this new password checking system. I have radius using external perl scripts which queries the database to achieve authentication without issue. Now I realise that PAM could be ideally suited to this. What sort of load can PAM handle, in terms of auth and account type requests? At an educated guess I have about 60 auth request per minute, but probably double this during peak periods. I therfore need a solution that will scale from this, as its only going to get busier. I have found a PAM module (pam_mysql) which gets authentication information from mySQL. It was linux based, and I have edited it and got it to compile without issue. I also note that there is a perl module which I may investigate since my perl skills are much better than my C ones! I made one substitution that I was not sure about: #include <alloca.h> to #include "/usr/X11R6/include/X11/Xalloca.h" Is this acceptible? This is on my private machine which has X loaded on it, however my actual mail server machine doesn't have this file. Any comments? I'm using qpopper compiled with pam support to test this module, but I get the following errors, when trying to login via pop. unable to dlopen(/usr/lib/pam_mysql.so) unable to dlopen(/usr/lib/pam_mysql.so) [dlerror: Shared object "libmysqlclient.so.10" not found] [dlerror: Shared object "libmysqlclient.so.10" not found] adding faulty module: /usr/lib/pam_mysql.so adding faulty module: /usr/lib/pam_mysql.so /usr/lib/pam_mysql.so has the same permissions as the other pam_* files. Interestingly, an incorrect username will not cause the above error, access is still denied. Also the query doesn't get to the mysql server (in either case). It doesn't even try to connect to the server. The software packages that I will use are Postfix, ProFtp, Cistron Radius, and Qpopper. I currently have FreeBSD 4.1 on my mail server and 3.1 on my private box, but will be upgrading soon. Thanks. Stavros. [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2600.0" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial>Hello,</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>I am in the process of changing the way that several services on my network authenticate. In particular, I want all services to by authenticated by way of my username and password system that I have implement using a database (mySQL). Basically, this means that POP, SMTP & FTP need to use this new password checking system. I have radius using external perl scripts which queries the database to achieve authentication without issue.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>Now I realise that PAM could be ideally suited to this. </FONT><FONT face=Arial>What sort of load can PAM handle, in terms of auth and account type requests? At an educated guess I have about 60 auth request per minute, but probably double this during peak periods. I therfore need a solution that will scale from this, as its only going to get busier.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>I have found a PAM module (pam_mysql) which gets authentication information from mySQL. It was linux based, and I have edited it and got it to compile without issue. I also note that there is a perl module which I may investigate since my perl skills are much better than my C ones!</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>I made one substitution that I was not sure about:</FONT></DIV> <DIV><FONT face=Arial>#include <alloca.h></FONT></DIV> <DIV><FONT face=Arial>to</FONT></DIV> <DIV><FONT face=Arial>#include "/usr/X11R6/include/X11/Xalloca.h"</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>Is this acceptible? This is on my private machine which has X loaded on it, however my actual mail server machine doesn't have this file. Any comments?</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>I'm using qpopper compiled with pam support to test this module, but I get the following errors, when trying to login via pop.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>unable to dlopen(/usr/lib/pam_mysql.so)<BR>unable to dlopen(/usr/lib/pam_mysql.so)<BR>[dlerror: Shared object "libmysqlclient.so.10" not found]<BR>[dlerror: Shared object "libmysqlclient.so.10" not found]<BR>adding faulty module: /usr/lib/pam_mysql.so<BR>adding faulty module: /usr/lib/pam_mysql.so</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>/usr/lib/pam_mysql.so has the same permissions as the other pam_* files.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>Interestingly, an incorrect username will not cause the above error, access is still denied. Also the query doesn't get to the mysql server (in either case). It doesn't even try to connect to the server.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>The software packages that I will use are Postfix, ProFtp, Cistron Radius, and Qpopper. I currently have FreeBSD 4.1 on my mail server and 3.1 on my private box, but will be upgrading soon.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>Thanks.</FONT></DIV> <DIV><FONT face=Arial></FONT> </DIV> <DIV><FONT face=Arial>Stavros.</FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c14724$490bf640$3700000a>