Date: Thu, 27 Sep 2001 16:46:10 +0930 From: "Stavros Patiniotis" <sp@esc.net.au> To: <freebsd-questions@freebsd.org> Subject: PAM & mysql authentication Message-ID: <003101c14724$490bf640$3700000a@private.esc.net.au>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_002C_01C14773.E92DF980 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I am in the process of changing the way that several services on my = network authenticate. In particular, I want all services to by = authenticated by way of my username and password system that I have = implement using a database (mySQL). Basically, this means that POP, SMTP = & FTP need to use this new password checking system. I have radius = using external perl scripts which queries the database to achieve = authentication without issue. Now I realise that PAM could be ideally suited to this. What sort of = load can PAM handle, in terms of auth and account type requests? At an = educated guess I have about 60 auth request per minute, but probably = double this during peak periods. I therfore need a solution that will = scale from this, as its only going to get busier. I have found a PAM module (pam_mysql) which gets authentication = information from mySQL. It was linux based, and I have edited it and = got it to compile without issue. I also note that there is a perl module = which I may investigate since my perl skills are much better than my C = ones! I made one substitution that I was not sure about: #include <alloca.h> to #include "/usr/X11R6/include/X11/Xalloca.h" Is this acceptible? This is on my private machine which has X loaded on = it, however my actual mail server machine doesn't have this file. Any = comments? I'm using qpopper compiled with pam support to test this module, but I = get the following errors, when trying to login via pop. unable to dlopen(/usr/lib/pam_mysql.so) unable to dlopen(/usr/lib/pam_mysql.so) [dlerror: Shared object "libmysqlclient.so.10" not found] [dlerror: Shared object "libmysqlclient.so.10" not found] adding faulty module: /usr/lib/pam_mysql.so adding faulty module: /usr/lib/pam_mysql.so /usr/lib/pam_mysql.so has the same permissions as the other pam_* files. Interestingly, an incorrect username will not cause the above error, = access is still denied. Also the query doesn't get to the mysql server = (in either case). It doesn't even try to connect to the server. The software packages that I will use are Postfix, ProFtp, Cistron = Radius, and Qpopper. I currently have FreeBSD 4.1 on my mail server and = 3.1 on my private box, but will be upgrading soon. Thanks. Stavros. ------=_NextPart_000_002C_01C14773.E92DF980 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial>Hello,</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>I am in the process of changing the way that = several=20 services on my network authenticate. In particular, I want all = services to=20 by authenticated by way of my username and password system that I=20 have implement using a database (mySQL). Basically, this means that = POP,=20 SMTP & FTP need to use this new password checking system. = I have=20 radius using external perl scripts which queries the database to achieve = authentication without issue.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>Now I realise that PAM could = be ideally suited=20 to this. </FONT><FONT face=3DArial>What sort of load can PAM = handle, in=20 terms of auth and account type requests? At an educated guess I = have about=20 60 auth request per minute, but probably double this during peak = periods. =20 I therfore need a solution that will scale from this, as its only going = to get=20 busier.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>I have found a PAM module (pam_mysql) = which gets=20 authentication information from mySQL. It was linux based, and I = have=20 edited it and got it to compile without issue. I also note that there is = a perl=20 module which I may investigate since my perl skills are much better than = my C=20 ones!</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>I made one substitution that I was not sure=20 about:</FONT></DIV> <DIV><FONT face=3DArial>#include <alloca.h></FONT></DIV> <DIV><FONT face=3DArial>to</FONT></DIV> <DIV><FONT face=3DArial>#include = "/usr/X11R6/include/X11/Xalloca.h"</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>Is this acceptible? This is on my = private machine=20 which has X loaded on it, however my actual mail server machine doesn't = have=20 this file. Any comments?</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>I'm using qpopper compiled with pam support to = test this=20 module, but I get the following errors, when trying to login via=20 pop.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>unable to = dlopen(/usr/lib/pam_mysql.so)<BR>unable to=20 dlopen(/usr/lib/pam_mysql.so)<BR>[dlerror: Shared object = "libmysqlclient.so.10"=20 not found]<BR>[dlerror: Shared object "libmysqlclient.so.10" not=20 found]<BR>adding faulty module: /usr/lib/pam_mysql.so<BR>adding faulty = module:=20 /usr/lib/pam_mysql.so</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>/usr/lib/pam_mysql.so has the same permissions = as the=20 other pam_* files.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>Interestingly, an incorrect username will = not cause=20 the above error, access is still denied. Also the query doesn't = get to the=20 mysql server (in either case). It doesn't even try to connect to the=20 server.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>The software packages that I will use are = Postfix,=20 ProFtp, Cistron Radius, and Qpopper. I currently have FreeBSD 4.1 = on my=20 mail server and 3.1 on my private box, but will be upgrading = soon.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>Thanks.</FONT></DIV> <DIV><FONT face=3DArial></FONT> </DIV> <DIV><FONT face=3DArial>Stavros.</FONT></DIV></BODY></HTML> ------=_NextPart_000_002C_01C14773.E92DF980-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c14724$490bf640$3700000a>