Hi All, I’m in the middle of a new installation and have just configured our system for PAM authentication. I’m able to get to the login screen and enter a user’s credentials just username and password (no email). Then I get the following that others have seen.
"Error – failed to map user (nortech)
I’ve been doing some reading on the forms and it appears that many others have run across this issue and most have ended up using a different type of authentication procedure to get around the issue. I don’t have LDAP or any other authentication going on so I’m wondering what is the best way to proceed? Should I look at dex or something else or should I continue to try to setup PAM? Really just looking for guidance.
Currently my /var/log/httpd/error.log and access.log are empty. Thanks in advance, Kyle
If you have an LDAP dex is a very good option. I would not consider PAM as it’s very insecure. Dex (open id connect) is much more secure.
As to the actual failure you’re seeing -
nortech doesn’t seem to be a system user. Is that a real user? Does
id nortech return anything?
If we don’t have LDAP in the picture and we are just serving a couple users what would you suggest?
I can SSH in as the nortech user without issue.
$ id nortech
uid=1000(nortech) gid=1000(nortech) groups=1000(nortech)
What version of ondemand are you running? We may have just patched an issue you’re running into in 2.0.23.
Also though - let’s see what your
ood_portal.yml looks like (you can remove any secrets). Specifically I’m looking for
Depends on your tolerance for risk. The only issue here is how secure do you need to be? Basic apache auth is passing your credentials in the header of every request in plain text. But if you’re not worried about folks seeing that network traffic, then that’s your call.
I would say in this particular environment we aren’t concerned with the security issue. In other instances in the future we’ll probably have to introduce LDAP.
This is currently all I have in the ood_portal.yml. Thanks much, Kyle
- ‘AuthType Basic’
- ‘AuthName “Open OnDemand”’
- ‘AuthBasicProvider PAM’
- ‘AuthPAMService ood’
- ‘Require valid-user’
Got it. I’ll be this is the issue. We don’t ship this file in 2.0 anymore. You can comment that configuration and your issue should resolve. The default
user_map_match should work out of the box for you.
Jeff, Beautiful! That did the trick. I appreciate the help, Kyle