Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openpam_load_chain(): invalid service name

    OpenVPN
    1
    3
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexxtasi
      last edited by

      Hi all,
      I am configuring openvpn server to force users to authenticate via pam, at an authentication server (my case linotp).
      In pfsense's openvpn advanced configuration, I put the line:

      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/common-linotp;

      (without the use of this plugin, openvpn connection works great)

      The error in openvpn log file is:

      in openpam_load_chain(): invalid service name: /etc/pam.d/common-linotp

      (I must say that openvpn configuration and also pam configuration are the same, as tested on a centos machine and works fine…)

      does this error (strange error to me...) indicate just a wrong pam stuck configuration on my side?
      or there are some pam restrictions on pfsense (freebsd) that I am missing?

      thanks in advance

      1 Reply Last reply Reply Quote 0
      • A
        alexxtasi
        last edited by

        Making more tests to find out what's wrong, I created a file /etc/pam.d/openvpn with the following:

        auth    [success=1 default=ignore]      /usr/local/lib/pam_linotp.so    debug   url=https://server_ip/validate/simplecheck nosslhostnameverify nosslcertverify
#auth    requisite      pam_deny.so
#auth    required       pam_permit.so
account sufficient      pam_permit.so
session sufficient      pam_permit.so

        I have already compiled pam_linotp on freebsd-8.3 so it'll run on pfsense-2.1.3 and the above settings works fine on centos (I suppose it should be ok).
        I also suppose that the module's compile process was correct.

        From the error I have:

        in openpam_load_chain(): invalid service name: /etc/pam.d/openvpn

        I found that "openpam_load_chain" comes from openpam's "openpam_configure.c"

        Can anyone help me on whether this error comes from :

        • wrong settings of me ?

        • the possibility that the pam service cannot access the module or manage to load it ?

        regards

        1 Reply Last reply Reply Quote 0
        • A
          alexxtasi
          last edited by

          ok,
          I had to give it a try again and accidentally  I found where my mistake was…  :-[

          I just ported the stack from linux to pfsense, without having in mind possible incompatibilities in pam control flags.
          So "[success=1 default=ignore]" is not acceptable in pfsense and that caused my errors…

          I should close this...
          thanx anyway

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.