Eval OnDemand with local user and PAM auth

I want to build a small evaluation OnDemand server with PAM authentication for a local user and possibly one in Kerberos. I installed the latest OnDemand on Centos7 and went through the install document, especially https://osc.github.io/ood-documentation/master/authentication/pam.html - all services started with no problem. I added this to /etc/ood/config/ood_portal.yml:

  - 'AuthType Basic'
  - 'AuthName "Open OnDemand"'
  - 'AuthBasicProvider PAM'
  - 'AuthPAMService ood'
  - 'Require valid-user'
# Capture system user name from authenticated user name
user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex"

I did a useradd ood and this works fine:

# /opt/ood/ood_auth_map/bin/ood_auth_map.regex ood

I regenerated the apache config and restarted, but I get an error when I try to log into the web page. The login popup comes up and won’t let me log in. in httpd24/error.log I get:

[Wed Feb 10 02:56:07.335347 2021] [authnz_pam:warn] [pid 23546] [client] PAM authentication failed for user ood: System error
[Wed Feb 10 02:56:07.337242 2021] [auth_basic:error] [pid 23546] [client] AH01617: user ood: authentication failure for "/pun/sys/dashboard": Password Mismatch

This does the same thing for a shell local user on the VM that can authenticate with Kerberos. Please note, my ‘ood’ user and my Kerberos user can SSH in to the VM with PAM no problem by supplying the password.

I don’t see any more errors in the apache logs, what’s the best way to troubleshoot? Thanks

Do the contents of /etc/pam.d/ood match that of a valid PAM service that can authentication like /etc/pam.d/sshd ? Also you ran the necessary commands to change permissions on /etc/shadow that is necessary for Apache to read the file?

Thanks- yes, I ran the commands in the install docs to chmod 640 /etc/shadow
and chgrp apache /etc/shadow, and did a cp /etc/pam.d/sshd /etc/pam.d/ood.

I can SSH in fine as a local user (/etc/passwd and /etc/shadow) as well as a Kerberos user, so it seems like PAM authentication works okay in general on the system, maybe I’m missing something?

Do you run SELinux on the OnDemand host? That’s the only other thing I can think would cause issues. Also I think /var/log/secure or /var/log/messages maybe contain additional logging if there are other errors with PAM. The System error from your logs looks a lot like either SELinux blocking access or something broken with the PAM Apache module.

1 Like

I got PAM auth to work, I had ondemand-dex installed but disabled but it was still being picked up when I reconfigured the httpd24 conf file. I removed the ondemand-dex package and regenerated the apache conf and it works now.