Openpam_load_chain(): invalid service name
I am configuring openvpn server to force users to authenticate via pam, at an authentication server (my case linotp).
In pfsense's openvpn advanced configuration, I put the line:
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/common-linotp;
(without the use of this plugin, openvpn connection works great)
The error in openvpn log file is:
in openpam_load_chain(): invalid service name: /etc/pam.d/common-linotp
(I must say that openvpn configuration and also pam configuration are the same, as tested on a centos machine and works fine…)
does this error (strange error to me...) indicate just a wrong pam stuck configuration on my side?
or there are some pam restrictions on pfsense (freebsd) that I am missing?
thanks in advance
Making more tests to find out what's wrong, I created a file /etc/pam.d/openvpn with the following:
auth [success=1 default=ignore] /usr/local/lib/pam_linotp.so debug url=https://server_ip/validate/simplecheck nosslhostnameverify nosslcertverify #auth requisite pam_deny.so #auth required pam_permit.so account sufficient pam_permit.so session sufficient pam_permit.so
I have already compiled pam_linotp on freebsd-8.3 so it'll run on pfsense-2.1.3 and the above settings works fine on centos (I suppose it should be ok).
I also suppose that the module's compile process was correct.
From the error I have:
in openpam_load_chain(): invalid service name: /etc/pam.d/openvpn
I found that "openpam_load_chain" comes from openpam's "openpam_configure.c"
Can anyone help me on whether this error comes from :
wrong settings of me ?
the possibility that the pam service cannot access the module or manage to load it ?
I had to give it a try again and accidentally I found where my mistake was… :-[
I just ported the stack from linux to pfsense, without having in mind possible incompatibilities in pam control flags.
So "[success=1 default=ignore]" is not acceptable in pfsense and that caused my errors…
I should close this...