I have written a simple auth script so that Webusers can type in their username and password and my PHP script verifies them by SASL.
The SASL Library is initialized by php function sasl_server_init("phpfoo"). So phpfoo.conf in /etc/sasl2/ is used.
phpfoo.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 9
So the SASL library now tries to connect to saslauthd process by socket. saslauthd command line looks like this:
/usr/sbin/saslauthd -r -V -a pam -n 5
So saslauthd uses PAM to authenticate.
In the php script I have created sasl connection by
sasl_server_new("php", null, "myRealm");
The first argument is the servicename. So PAM uses the file /etc/pam.d/php to see for further authentication information.
/etc/pam.d/php:
auth required pam_mysql.so try_first_pass=0 config_file=/etc/pam.d/mysqlconf.nss
account required pam_permit.so
session required pam_permit.so
mysqlconf.nss has all information that is needed for a useful MySQL Query to user table.
All of this works perfectly when I run the script by command line.
php ssasl.php
But when I call the same script via webbrowser(php apache module) I get an -20 return code (SASL_NOUSER).
In /var/log/messages there is
May 18 15:27:12 hostname httpd2-prefork: unable to open Berkeley db /etc/sasldb2: No such file or directory
I do not have anything with a Berkeley db for authentication with SASL. I think authentication using /etc/sasldb2 is the default setting. In my opinion it does not read my phpfoo.conf file. For some reason the php-apache-module ignores the parameter in sasl_server_init("phpfoo").
My first thought was that there is a permission issue. So back in shell:
su -s /bin/bash wwwrun
php ssasl.php
"Authentication successful". -> No file-permission issue.
In the source of the sasl-php-extension we can find:
PHP_FUNCTION(sasl_server_init)
{
char *name;
int name_len;
if (zend_parse_parameters(1 TSRMLS_CC, "s", &name, &name_len) == FAILURE) {
return;
}
if (sasl_server_init(NULL, name) != SASL_OK) {
RETURN_FALSE;
}
RETURN_TRUE;
}
This is a simple pass through of the string.
Are there any differences between the PHP CLI and PHP ApacheModule version that I am not aware of?
Anyway, there are some interesting log entries when I run PHP in CLI mode:
May 18 15:44:48 hostname php: SQL engine 'mysql' not supported
May 18 15:44:48 hostname php: auxpropfunc error no mechanism available
May 18 15:44:48 hostname php: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sqlite
May 18 15:44:48 hostname php: sql_select option missing
May 18 15:44:48 hostname php: auxpropfunc error no mechanism available
May 18 15:44:48 hostname php: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Those lines are followed by lines of saslauthd and PAM which results in authentication success.(I do not get any of them in ApacheModule mode)
Looks like that he is trying auxprop pwcheck before saslauthd. I have no other .conf file in /etc/sasl2.
When I change the parameter of sasl_server_init to something other then I get the same error in CLI mode as in ApacheModule mode.