Openpam_load_chain(): invalid service name



  • Hi all,
    I am configuring openvpn server to force users to authenticate via pam, at an authentication server (my case linotp).
    In pfsense's openvpn advanced configuration, I put the line:

    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/common-linotp;
    

    (without the use of this plugin, openvpn connection works great)

    The error in openvpn log file is:

    in openpam_load_chain(): invalid service name: /etc/pam.d/common-linotp
    

    (I must say that openvpn configuration and also pam configuration are the same, as tested on a centos machine and works fine…)

    does this error (strange error to me...) indicate just a wrong pam stuck configuration on my side?
    or there are some pam restrictions on pfsense (freebsd) that I am missing?

    thanks in advance



  • Making more tests to find out what's wrong, I created a file /etc/pam.d/openvpn with the following:

    auth    [success=1 default=ignore]      /usr/local/lib/pam_linotp.so    debug   url=https://server_ip/validate/simplecheck nosslhostnameverify nosslcertverify
    #auth    requisite      pam_deny.so
    #auth    required       pam_permit.so
    account sufficient      pam_permit.so
    session sufficient      pam_permit.so
    

    I have already compiled pam_linotp on freebsd-8.3 so it'll run on pfsense-2.1.3 and the above settings works fine on centos (I suppose it should be ok).
    I also suppose that the module's compile process was correct.

    From the error I have:

    in openpam_load_chain(): invalid service name: /etc/pam.d/openvpn
    

    I found that "openpam_load_chain" comes from openpam's "openpam_configure.c"

    Can anyone help me on whether this error comes from :

    • wrong settings of me ?

    • the possibility that the pam service cannot access the module or manage to load it ?

    regards



  • ok,
    I had to give it a try again and accidentally  I found where my mistake was…  :-[

    I just ported the stack from linux to pfsense, without having in mind possible incompatibilities in pam control flags.
    So "[success=1 default=ignore]" is not acceptable in pfsense and that caused my errors…

    I should close this...
    thanx anyway