[UFO Chicago] cyrus and pam_pgsql?

Peter A. Peterson II pedro@tastytronic.net
Tue, 4 Feb 2003 13:14:40 -0600

Hi all,

I'm trying to set up a postfix + cyrus + postgres + imp email server.

I want to do it with Debian "Harder Now, Easier Later" GNU\Linux, and
as it happens, the Debian package is compiled to use PAM instead of
SASL (the Cyrus default). I specifically DON'T want mail users to have
accounts on the mail server, and that's one of the advantages of
Cyrus. But I don't want to recompile it every time I want to upgrade it.

Thus, since it is compiled for PAM instead of SASL, I have to use
PAM for authentication... by default, it does the normal pam_unix
stuff and takes authentication info from passwd, etc. (or /etc/passwd,
as the case may be.) But then I thought... wow, how about using
something like pam_pgsql, and store my usernames and passwords in the
same database that IMP is using anyway! Solution!

So I got pam_pgsql (libpam-pgsql) installed and i configured the
pam-pgsql.conf and created a generic database of three users. Then I
edited the /etc/pam.d/cyrus file to reflect that I want to use
pam_pgsql.so for authentication instead of pam_unix... and then I
changed it to use /usr/sbin/pwcheck_pam vi etc/alternatives... 

...but it's not working. The mail.log is saying PAM Authentication
Error, and it's no longer letting in mail users who have real accounts
and unix passwords (which it did before), which leads me to believe
that it's actually TRYING to use pam for authentication, but either:

a. I have pam_pgsql set up incorrectly, or
b. I have /etc/pam.d/cyrus set up incorrectly.

So, have any of you had experience with these packages? What about
pam? Is there some kind of magic I might need to do in pam.d/cyrus?
This is what I have:

[linuxmail(/etc/pam.d)] less cyrus
# PAM configuration file for Cyrus pwcheck
# If you want to use Cyrus in a setup where users don't have
# accounts on the local machine, you'll need to make sure
# you use something like pam_permit for account checking.

auth            required                pam_pgsql.so
account         required                pam_permit.so
password        required                pam_pgsql.so

I've also tried using just pam_pgsql for account, and that doesn't
seem to make a visible difference.

Is there a way you can think of to *test* pam_pgsql to see if it gets
a username and password properly? Then I'd at least know if it was
pam_pgsql or the glue between the systems.

Anyway, any ideas or advice would be appreciated.


Peter A. Peterson II, technician and musician.
---=[ http://tastytronic.net/~pedro/ ]=---