Eval OnDemand with local user and PAM auth

chris_taylor · February 10, 2021, 3:46am

I want to build a small evaluation OnDemand server with PAM authentication for a local user and possibly one in Kerberos. I installed the latest OnDemand on Centos7 and went through the install document, especially https://osc.github.io/ood-documentation/master/authentication/pam.html - all services started with no problem. I added this to /etc/ood/config/ood_portal.yml:

auth:
  - 'AuthType Basic'
  - 'AuthName "Open OnDemand"'
  - 'AuthBasicProvider PAM'
  - 'AuthPAMService ood'
  - 'Require valid-user'
# Capture system user name from authenticated user name
user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex"

I did a useradd ood and this works fine:

# /opt/ood/ood_auth_map/bin/ood_auth_map.regex ood
ood

I regenerated the apache config and restarted, but I get an error when I try to log into the web page. The login popup comes up and won’t let me log in. in httpd24/error.log I get:

[Wed Feb 10 02:56:07.335347 2021] [authnz_pam:warn] [pid 23546] [client 10.2.3.29:26304] PAM authentication failed for user ood: System error
[Wed Feb 10 02:56:07.337242 2021] [auth_basic:error] [pid 23546] [client 10.2.3.29:26304] AH01617: user ood: authentication failure for "/pun/sys/dashboard": Password Mismatch

This does the same thing for a shell local user on the VM that can authenticate with Kerberos. Please note, my ‘ood’ user and my Kerberos user can SSH in to the VM with PAM no problem by supplying the password.

I don’t see any more errors in the apache logs, what’s the best way to troubleshoot? Thanks

tdockendorf · February 10, 2021, 8:15pm

Do the contents of /etc/pam.d/ood match that of a valid PAM service that can authentication like /etc/pam.d/sshd ? Also you ran the necessary commands to change permissions on /etc/shadow that is necessary for Apache to read the file?

chris_taylor · February 10, 2021, 8:40pm

Thanks- yes, I ran the commands in the install docs to chmod 640 /etc/shadow
and chgrp apache /etc/shadow, and did a cp /etc/pam.d/sshd /etc/pam.d/ood.

I can SSH in fine as a local user (/etc/passwd and /etc/shadow) as well as a Kerberos user, so it seems like PAM authentication works okay in general on the system, maybe I’m missing something?

tdockendorf · February 10, 2021, 8:59pm

Do you run SELinux on the OnDemand host? That’s the only other thing I can think would cause issues. Also I think /var/log/secure or /var/log/messages maybe contain additional logging if there are other errors with PAM. The System error from your logs looks a lot like either SELinux blocking access or something broken with the PAM Apache module.

chris_taylor · February 13, 2021, 1:12am

I got PAM auth to work, I had ondemand-dex installed but disabled but it was still being picked up when I reconfigured the httpd24 conf file. I removed the ondemand-dex package and regenerated the apache conf and it works now.

Topic		Replies	Views
PAM user mapping Get Help question	9	659	August 13, 2022
Error -- failed to map user (ood) Get Help ondemand2	7	297	December 24, 2022
Failed to map user PAM authentication Get Help ondemand2	7	495	October 24, 2022
OOD basic installation Get Help question	18	1669	May 26, 2022
Testing OnDemand with SAML and mod_auth_mellon Get Help ondemand2 , question	11	299	December 20, 2022

Eval OnDemand with local user and PAM auth

Related Topics