PAM user mapping

Trying to use the Open OnDemand PAM instructions here…
PAM Authentication

I get the famous error message:
Error – failed to map user (testuser1)

In the docs it has a reference to a regex user map.
/opt/ood/ood_auth_map/bin/ood_auth_map.regex

I’m looking at the docs for user mapping:
Setup User Mapping

Still getting the failed to map user error
I don’t really understand the user mapping.

I added the PAM configuration to the portal config

auth:
  - 'AuthType Basic'
  - 'AuthName "Open OnDemand"'
  - 'AuthBasicProvider PAM'
  - 'AuthPAMService ood'
  - 'Require valid-user'
# Capture system user name from authenticated user name
user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex"

I created the executable regex at

/opt/ood/ood_auth_map/bin/ood_auth_map.regex

With this content:

#!/bin/bash

REX="([^@]+)@localhost"
INPUT_USER="$1"

if [[ $INPUT_USER =~ $REX ]]; then
  MATCH="${BASH_REMATCH[1]}"
  echo "$MATCH" | tr '[:upper:]' '[:lower:]'
else
  # can't write to standard out or error, so let's use syslog
  logger -t 'ood-mapping' "cannot map $INPUT_USER"

  # and exit 1
  exit 1
fi

I am trying to use PAM as the authentication for OnDemand.

Could I just have a simple list of key-value pairs for the static user mapping?
What could I be missing?

Hi Equiros.

Thanks for posting.

I will look into this.

Thanks,
-gerald

Thanks Gerald, Sorry about the basic question.
I just need a simple user list for a proof of concept.
Thats is why I chose PAM as the authentication.
These are test users that only exist locally.

I am following the docs for PAM authentication.
I just have 3 or 4 test users for this environment.

I added the mod_authnz_pam package,
and have passwords assigned to all my local users.

I added the PAM config shown above, and
updated the portal, restarted ondemand-dex and httpd.

I just want a simple user list for this POC.
How can I do that ?

It’s no problem. Trust me, the mapping piece is somewhat difficult. I’m working on another issue that was submitted, so I’ll get to yours as soon as I am finished with that one.

Thanks for your patience,
-gerald

I’ve never tried using PAM integration, but I have been successful in using Apache Authentication.

I’m just trying to work around our lack of identity management for our Linux systems.
We use AD for most things here. but LOCAL ACCOUNTS for Linux.
We have started a project to add centralized Linux authentication, but no working system yet.

So, I have this Proof of Concept HPC, with local accounts. That is why I just need PAM.
It is the simplest to use without adding additional external resources.

I am using the ood_auth_map.regex shown above. I have test users listed in
/etc/passwd and in /etc/shadow. I have allowed apache user to read /etc/shadow.

When I login as testuser1@localhost, I simply get redirected back to the login screen,
as if the password was not accepted. Also the log says that too.

When I login as testuser1 (without the localhost), I get the message
Error – failed to map user (testuser1)
As if the password was accepted, but the user not mapped.

1 Like

Okay, I got it working with this regex script:

#!/bin/bash

REX="([^@]+)"
INPUT_USER="$1"

if [[ $INPUT_USER =~ $REX ]]; then
  MATCH="${BASH_REMATCH[1]}"
  echo "$MATCH" | tr '[:upper:]' '[:lower:]'
else
  # can't write to standard out or error, so let's use syslog
  logger -t 'ood-mapping' "cannot map $INPUT_USER"

  # and exit 1
  exit 1
fi

It looked like the regex was ignoring the part after the @, so I removed that part.
My test users are now able to get to the dashboard. Thanks for your help!

I just saw your response here. I looked here because I came to the exact same conclusion. Remove the @osc.edu completely.

Thanks man.

Glad it’s working!

-gerald