Reinstallation - PAM authentication not working - RHEL 8.5

Hello,
Doing another installation of OOD, following my previous installations.
I am trying to authenticate using PAM. Followed the instructions at:
Add PAM Authentication — Open OnDemand 2.0.20 documentation

However, whenever I try to login, I only get back to the login screen.
I tried ood@localhost, as well as other users (myself) that work fine with SSH on that box.

Whenever I enter the username by itself, it tells me “Failed to map user”, which is expected.

I’m sure I’m missing a small critical piece of this process.
The Apache module is installed as mod_authnz_pam.
And the HTTP service gives me error messages like this:
Jun 01 11:12:58 log01 httpd[109384]: pam_unix(ood:auth): check pass; user unknown
Jun 01 11:12:58 log01 httpd[109384]: pam_unix(ood:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.17.0.186

Does it think that the ood user is UID 48? It isn’t. What am I missing ?

Hi Equiros.

Thanks for the post.

I have some good news for you on this one. It appears I have a discourse topic that will answer this question for you.

It is a fairly long back and forth. If you look toward the bottom of the topic, you will find, what I believe will be your answer.

If that topic does not fix the issue, please let use know.

Thanks,
-gerald

Hello Again,
Thanks for that info. The actual issue I am experiencing is that authentication is not working at all for the moment. For now, I am trying to log in as the default ood user. This user has no SSH password set in the system, but the ood user exists. I try to log into the newly created system as “ood@localhost” with the default “password” as the pw, but I just get returned to the login screen. Not sure what I could be missing.

Hi Equiros.

Sorry for the late response here. I’m going to have to look into it. I’m not sure what might going on off the top of my head.

Thanks,
-gerald

Thanks Gerald,
I notice that the error message says unknown user with UID 48, which happens to be the UID of Apache. Not sure why it is not using the UID of the login user.

In trying to replicate the install process, I started fresh on a new RHEL 8 system
These are the steps I have taken. It currently produces an internal server error (500).

I know we’ve solved this before, I just don’t remember what was done.
This is what I did on the new system, following the instructions line by line.

Enable the modules and install the packages
yum module enable ruby:2.7
yum module enable nodejs:12
yum install ondemand ondemand-dex

Add OOD user
groupadd ood
useradd -d /home/ood -g ood -k /etc/skel -m ood

Start Services and update ood portal
systemctl start ondemand-dex
systemctl start httpd
/opt/ood/ood-portal-generator/sbin/update_ood_portal

This is BEFORE trying to configure PAM for authentication.
If I add the PAM configuration and reload the portal,
I get a login screen, but cannot authenticate.
Just looking to allow the ood user to login to the dashboard for now.
I’m sure I’m missing something, just don’t know what it could be.

The internal error is usually related to the hostname being different than the host in your url. The log files should give you the exact error.

As for the authentication issue. I’m not sure. It may be necessary to try a screen share and see if we can figure it out. Are you willing to do that?

On the test system, the hostname is the same as the server name
Ok, on the login node, its a bit different, because I wanted to use the IB hostname.

A screen share would be great.
Can we schedule something for tomorrow ?

Hi Al.

I am able to recreate the issue you are having. I will look into it tonight, but just a reminder, I will not be back in the office until Monday most likely.

Hey Al.

I have it fixed via work-around. I should have the problem solved shortly. Hopefully. :slight_smile:

It appears that update_ood_portal is not updating this specific entry in the related apache configuration file.

to work around, you can do the following:

vi /etc/httpd/conf.d/ood-portal.conf

search for the entry
SetEnv OOD_USER_MAP_MATCH “^([^@]+)@.*$”

replace entry with
SetEnv OOD_USER_MAP_MATCH “.*”

then restart apache with the following command:
sudo systemctl try-restart httpd.service htcacheclean.service

Again. This is just a work-around to get you going. When I’m back in the office, I will continue to search for a solid solution for you.

thanks,
-gerald

There is different behaviour when you have ondemand-dex installed. You have it installed, so we assumed you’re using it and do a few things automatically.

Remove ondemand-dex RPM and we’ll stop making that assumption.

That said - we’re dropping support for PAM because it is so very incredibly insecure. Dex is a very good option if you have an LDAP to connect to.

Hi Jeff,
PAM is a temporary solution while we implement our Identity Management solution.

@jeff.ohrstrom

Thanks for the help there. Is that documented in the current documentation and I just missed it?

Thanks,
-gerald

Thanks to Jeff and Gerald, we are able to authenticate again.
Yes, we are still using PAM for this proof of concept. :fearful:
However, once our IdM system is up we will switch to LDAP.

Thank you Both !

Hey Al.

Don’t worry. LDAP is much easier to setup.

1 Like