use of pam and sql db simultaneously

Markus Krause krause at biochem.mpg.de
Fri Dec 23 17:40:24 CET 2005 

hello list,

i would like to authenticate users via pam and sql.

part of my radiusd.conf (freeradius 1.0.5 on sles 9) is:
+++++ part of radiusd.conf
instantiate {
}

authorize {
        preprocess
        files
        sql
        shorttermaccount
}

authenticate {
        pam
}

preacct {
        preprocess
        acct_unique
        files
}

accounting {
        detail
        radutmp
        sql
}
------- part of radiusd.conf

if i have the following line in /etc/raddb/users:
++++++ users
Auth-Type = PAM
    Fail-Through = Yes
------ users

users known by pam get access-accept, but those in sql don't, the debug output
says:
++++++ radiusd -XA
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=144, length=59
        User-Name = "sqluser"
        User-Password = "XXXXXX"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    users: Matched entry DEFAULT at line 3
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  'sqluser'
rlm_sql (sql): sql_set_user escaped user --> 'sqluser'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'sqluser' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'sqluser' ORDER BY id
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'sqluser' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'sqluser' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'sqluser' ORDER BY id'
rlm_sql_mysql: query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'sqluser' ORDER BY id
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'sqluser' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'sqluser' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module "shorttermaccount" returns noop for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type PAM
auth: type "PAM"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <sqluser>. Reason: User not known
to the underlying authentication module
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: group authenticate returns reject for request 0
auth: Failed to validate the user.
Login incorrect: [sqluser] (from client localhost port 1)
Delaying request 0 for 1 seconds
Finished request 0
----- radiusd -XA

if i delete the line "DEFAULT Auth-Type = Pam" (and Fall-Through = Yes) the
users in sql get an access-accept answer.

what am i doing wrong here?
do theses modules (rlm_pam and rlm_sql) exclude each other?
how can i use them simultaneously i.e. in parallel?

thanks in advance for any hints!

and merry x-mas everyone! :-)

  regards,
    markus


--
Markus Krause                           email: krause at biochem.mpg.de
Computing Center                        Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics           Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de

More information about the Freeradius-Users mailing list