Superusers anywhere
ACLs in same back-end

FYI

The section "data layout" of http://redis.io/topics/twitter-clone states "... what should identify a user inside our system? The username can be a good idea since it is unique, but it is also too big, and we want to stay low on memory"

As such a simple user-prefix to support scenarios of "prefix:username"=>"password-hash" is a good start but not very likely to be used.

I like an approach* of prefix:userid" => hash, where the password is stored together with every other attribute inside the hash. To get the hash for a username, I usually use a single larger hash as an index called User:uniques:name that maps a username to the id. This is a similar approach to the one recommended in the above mentioned section on the Redis site. While the principle is the same, it doesn't create at least 2*n new keys (assuming a single password attribute) for n users, but merely n+1 which don't change for more than one user attributes. I'm by no means a Redis export, but imho this feels cleaner.

Assuming, the user hash was defined HMSET User:1000 username foo password bar, and an username->id hash entry was defined with hset User:uniques:name foo 1000 the user password can be queried easily with

$uniqueid = HGET User:uniques:name testuser
HGET user:$uniqueid password

*Note: I'm a little biased, as this is the format that https://github.com/soveran/ohm is using

When usin the MySQL backend, on wrong password - mosquitto dies

Mosquitto version 1.2.2

It sigfaults.

mosquitto[4984]: segfault at 7ff8705257d8 ip 00007ff8705257d8 sp 00007fff90610d48 error 15 in libc-2.17.so[7ff870525000+2000

Hi,
I think both redis_userquery and redis_aclquery are mandatory. yet I could not find any mention of these in the README or repo. Could you please give me a mosquitto.conf example for Redis..?

I get the following error.
|-- *** auth-plug: startup
1426207703: |-- ** Configured order: redis

1426207703: |-- }}}} Redis
|-- Mandatory parameter `redis_userquery' missing
|-- *** ABORT.

Hi,
enabling mosquitto file log with "log_dest file " in mosqsuitto.conf the auth messages are not stored.

I've tried changing in plugin sources:
_log(LOG_NOTICE,
to
_mosquitto_log_printf(NULL, MOSQ_LOG_INFO,
like mosquitto source but the plugin doesn't compile.

Can you help me?

In the first part you say "users:" then you say "u:" - is that a mistake?

# Optional: prefix users with the following string
auth_opt_redis_username_prefix users:
auth_opt_redis_host 127.0.0.1
auth_opt_redis_port 6379

# Clients may PUB/SUB to the following prefix. '%' is replaced
# with an authorized user's username (sans username_prefix). So,
# user 'jjolie' may PUB/SUB to "/location/jjolie" and her password
# is at Redis key "u:jjolie"

For mysql and LDAP back-ends, say.

I have created a user : 123456789 and a hash for password "testpassword" : PBKDF2$sha256$901$SALT$dc59c53d92f078d49b34

When i try to connect using : mosquitto_pub -h myIP -t '/base' -m 'test_topic' -u 123456789 -P testpassword I get an error :

Connection Refused: bad user name or password.
Error: The connection was refused.

The log of mosquitto daemon says :

1416769178: |-- mosquitto_auth_unpwd_check(123456789)
1416769178: |-- ** checking backend mysql
1416769178: |-- getuser(123456789) AUTHENTICATED=0 by none

Do you have any idea about my issue ?

hi,
I've a problem with auth-plugin when i try to start mosquitto.
I recieve this error: auth-plugin.so undefinied sum ol ares_library_init.
I work on centos 6.5 with c-ares19 library and devel installed.
Someone could help me please?
Luca

This is what i got on my log when I try to start mosquitto .
In my /etc/mosquitto/mosquitto.conf I don't have root user but mqtt user and it's password.

1416657377: mosquitto version 1.3.4 (build date 2014-08-08 09:26:34+0000) starting
1416657377: Config loaded from /etc/mosquitto/mosquitto.conf.
1416657377: |-- *** auth-plug: startup
1416657377: |-- ** Configured order: mysql

1416657377: |-- }}}} MYSQL
Access denied for user 'root'@'localhost' (using password: NO)
1416657377: Opening ipv4 listen socket on port 1883.
1416657377: Opening ipv6 listen socket on port 1883.
1416657378: New connection from xx.xx.xx.xxx on port 1883.

Hi JPMens,

I've discovered the mosquitto.log file under /var/log/upstart that, due to its content, I suppose that belongs to mosquitto-auth-plug. It has caused some failures because of my disk is full (it is a virtualized machine). There is not problem as I have already trunked it to 0 bytes, but... ¿Is there any possibility of deactivate logging option for mosquitto-auth-plug? Or at least It could be useful to be able to specify the desired location for it (on another /dev or partition, on /dev/null, on a secondary storage...)

Thanks so much.

for example, integrate with MQTTKit, https://github.com/jmesnil/MQTTKit

Hi JP,

I would like to know if this plugin is compatible with mqttwarn module. I need to use mqttwarn on the same server and save into mysql every dispatched message. Now after I have installed the auth-plug module mosquitto daemon keep crashing, I believe because mqttwarn is trying to connect without user and password .

thank you

If you have, please send me

mosquitto_topic_matches_sub() is available in the mosquitto exe, so you shouldn't need to link against libmosquitto.

Maybe a list of topics a user can PUB/SUB to in Redis

I have tried to use the http://www.hivemq.com/demos/websocket-client/ but no chance to connect to my mosquitto daemon.

Here the mosquitto log :

1416866644: New connection from myIP on port 1883.
1416866644: Socket error on client (null), disconnecting.

I'm having problems loading the library... I get

sudo mosquitto -d -c /etc/mosquitto/mosquitto.conf
1389563557: mosquitto version 1.2.3 (build date 2013-12-04 21:22:55+0000) starting
1389563557: Config loaded from /etc/mosquitto/mosquitto.conf.
iandl@Beaker:~$ 1389563557: Error: Unable to load auth plugin "/usr/lib/auth-plug.so".

It's compiled ok and I'm using Mosquitto 1.2.3 and OpenSSL 1.0.1c and MySQL. I've attached the (top part of) Makefile:

BACKENDS=-DBE_MYSQL

BE_CFLAGS=mysql_config --cflags
BE_LDFLAGS=mysql_config --libs
BE_DEPS=

CDBDIR=contrib/tinycdb-0.78
CDB=$(CDBDIR)/cdb
CDBINC=$(CDBDIR)/
CDBLIB=$(CDBDIR)/libcdb.a
BE_CFLAGS += -I$(CDBINC)/
BE_LDFLAGS += -L$(CDBDIR) -lcdb
BE_DEPS += $(CDBLIB)

BE_LDFLAGS += -lsqlite3

BE_CFLAGS += -I/usr/local/include/hiredis

BE_LDFLAGS += -L/usr/local/lib -lhiredis

OPENSSLDIR=/usr/local/stow/openssl-1.0.0c/

OPENSSLDIR=/home/iandl/mosquitto-auth/openssl-1.0.1c/
OSSLINC=-I$(OPENSSLDIR)/include
OSSLIBS=-L$(OPENSSLDIR)/lib -lcrypto

CFLAGS = -I/home/iandl/mosquitto-auth/mosquitto-1.2.3/src/

CFLAGS = -I~/mosquitto-auth/mosquitto-1.2.3/src/

CFLAGS += -I/home/iandl/mosquitto-auth/mosquitto-1.2.3/lib/

CFLAGS = -I../../../../pubgit/MQTT/mosquitto/src/

CFLAGS += -I../../../../pubgit/MQTT/mosquitto/lib/

CFLAGS += -fPIC -Wall -Werror $(BACKENDS) $(BE_CFLAGS) -I$(MOSQ)/src -DDEBUG=1 $(OSSLINC)
LDFLAGS=$(BE_LDFLAGS) -lmosquitto $(OSSLIBS)

LDFLAGS += -L../../../../pubgit/MQTT/mosquitto/lib

LDFLAGS += -L/home/iandl/mosquitto-auth/mosquitto-1.2.3/lib/

LDFLAGS += -Wl,-rpath,$(../../../../pubgit/MQTT/mosquitto/lib) -lc

LDFLAGS += -export-dynamic

CFLAGS += -DDEBUG=1

And the Mosquitto Conf part is:

auth_plugin /usr/lib/auth-plug.so
auth_opt_backends mysql
auth_opt_host localhost
auth_opt_port 3306
auth_opt_dbname mosquitto
auth_opt_user myuser
auth_opt_pass mypwd
auth_opt_userquery SELECT pw FROM users WHERE username = '%s'
auth_opt_superquery SELECT COUNT(*) FROM users WHERE username = '%s' AND super = 1

auth_opt_aclquery SELECT topic FROM acls WHERE username = '%s'

auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw & %d)

auth_opt_superusers S*

Any ideas what I'm missing?

In addition to the glob, allow a list of superusers in the database, like this?

SADD superusers n2
SADD supersuers jjolie

SISMEMBER superusers jjolie
> 1

http://redis.io/commands#set

Hello,

Is it possible extend the mosquitto-auth-plugin to support read only access to topics?

As at this moment there is only RW ... or I didn't understand the workings of the plugin. I need users to be able to see topic but to be unable to write to it as it is in the mosquitto basic auth - write and read ACLs are separated.

HI JPMens,

I'm having some problems with acl checking. Could you help me?

I've two users manolodd and backenduser.

manolodd has read acces (1) to: mobile/1/0/auth/api/responses/users/%u/#
backend user has rw acces (2) to: mobile/1/0/auth/api/responses/users/#

manolo subscribes to mobile/1/0/auth/api/responses/users/manolodd/#
backenduser publishes to: mobile/1/0/auth/api/reponses/users/manolodd/login

But backenduser is not authorized to publish, although it has rw=2 for mobile/1/0/auth/api/responses/users/# which includes mobile/1/0/auth/api/reponses/users/manolodd/login

This is the log:

1426446906: |-- mosquitto_auth_unpwd_check(backenduser)
1426446906: |-- ** checking backend mysql
1426446906: |-- getuser(backenduser) AUTHENTICATED=1 by mysql
1426446906: |-- mosquitto_auth_acl_check(..., mosqpub/16279-manolodd-, backenduser, mobile/1/0/auth/api/reponses/users/manolodd/login, MOSQ_ACL_WRITE)
1426446906: |-- user backenduser was authenticated in back-end 0 (mysql)
1426446906: |-- mysql: topic_matches(mobile/1/0/auth/api/responses/users/#, mobile/1/0/auth/api/responses/users/#) == 0
1426446906: |-- mysql: topic_matches(mobile/1/0/auth/platform/broadcast/#, mobile/1/0/auth/platform/broadcast/#) == 0
1426446906: |-- mysql: topic_matches(mobile/1/0/anon/api/responses/clients/#, mobile/1/0/anon/api/responses/clients/#) == 0
1426446906: |-- mysql: topic_matches(mobile/1/0/anon/platform/status/#, mobile/1/0/anon/platform/status/#) == 0
1426446906: |-- aclcheck(backenduser, mobile/1/0/auth/api/reponses/users/manolodd/login, 2) AUTHORIZED=0 by mysql

And mosquitto logs:

Mar 15 20:27:19 mosquitto-big mosquitto[5557]: New connection from 192.168.1.100 on port 8883.
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: New client connected from 192.168.1.100 as mosqpub/16362-manolodd- (c1, k60, u'backenduser').
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Sending CONNACK to mosqpub/16362-manolodd- (0, 0)
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Denied PUBLISH from mosqpub/16362-manolodd- (d0, q2, r0, m1, 'mobile/1/0/auth/api/reponses/users/manolodd/login', ... (4 bytes))
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Sending PUBREC to mosqpub/16362-manolodd- (Mid: 1)
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Received PUBREL from mosqpub/16362-manolodd- (Mid: 1)
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Sending PUBCOMP to mosqpub/16362-manolodd- (Mid: 1)
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Received DISCONNECT from mosqpub/16362-manolodd-
Mar 15 20:27:19 mosquitto-big mosquitto[5557]: Client mosqpub/16362-manolodd- disconnected.

It is a bug?

Thanks

Hi,
I've a problem running your library on a x86 machine:

./mosquitto -c mosquitto.conf1412605004: mosquitto version 1.3.4 (build date 2014-10-06 16:14:36+0200) starting
1412605004: Config loaded from mosquitto.conf.
1412605004: Error: Unable to load auth plugin "/usr/lib/auth-plug.so".

I've succesfully compiled the library without modify your makefile (I've only changed the MOSQUITTO_SRC) and moved to /usr/lib/auth.plugin.so.

I'm using mosquitto 1.3.4 compiled by myself and here is my mosquitto.conf:

autosave_interval 1800
connection_messages true
log_timestamp true
listener 1883
auth_plugin /usr/lib/auth-plug.so
auth_opt_backends mysql
auth_opt_host 127.0.0.1
auth_opt_port 3306
auth_opt_dbname mqtt
auth_opt_user mqttauth
auth_opt_pass mqttauthpassword
auth_opt_userquery SELECT password FROM USERS WHERE id_user = %s
auth_opt_superquery SELECT IFNULL(COUNT(), 0) FROM USERS WHERE id_user = %s AND superuser = 1
auth_opt_superusers S

This one took me several hours to debug. Even though the ACLs were set up correctly and the debug output returned a ACL permit, Mosquitto kept sending "Sending CONNACK to ec6d3c6a4a0f342f (5)" / "Connection Refused: not authorized".

The reason for this was, that I specified a will topic that was not covered by the ACL rules. Maybe it should be documented, that when specifying a will message it should be covered by the ACL or else Mosquitto will fail silently. When thinking about it, it's quite obvious but it's easy to miss.

As I said in twitter - I'm working on project based on MQTTitude using mosquitto + mosquitto-auth-plug.

I want to have single point of authnetication for easy web based interface. I'm using the MQTTitude contrib form m2s.

Is it possible to calculate user password HASH in PHP or exec external program with parameter to check password validity to hash? And can it be creted API for new users/change of password?

Regards.

Would it be possible to be able to authenticate with different domains using multiple LDAP backends (trees)?

I've got some troubles compiling the mosquitto-auth-plugin on a raspberyy pi running RASPBIAN, Version:June 2014, Release date:2014-06-20.

I want to run the backend mysql and I've installed the prerequisites:

mosquitto (1.3.2) mosquitto-clients python-mosquitto (from http://repo.mosquitto.org/debian/mosquitto-repo)
mysql-server-5.5
libmysqlclient-dev
libssl-dev

I've only enabled the mysql backend:

BACKENDS=-DBE_MYSQL

But the compiler complaints:

openhab@openhab ~/checkout/mosquitto-auth-plug $ make clean && make
rm -f _.o *.so
(cd contrib/tinycdb-0.78; make realclean )
make[1]: Entering directory /home/openhab/checkout/mosquitto-auth-plug/contrib/tinycdb-0.78' rm -f *.o *.lo core *~ libcdb[._][aps]_ libnss_cdb.so.2\* cdb cdb-shared make[1]: Leaving directory /home/openhab/checkout/mosquitto-auth-plug/contrib/tinycdb-0.78'
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o auth-plug.o auth-plug.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o base64.o base64.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o pbkdf2-check.o pbkdf2-check.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o log.o log.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o hash.o hash.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-psk.o be-psk.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-cdb.o be-cdb.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-mysql.o be-mysql.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-sqlite.o be-sqlite.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-redis.o be-redis.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-postgres.o be-postgres.c
cc -I/home/openhab/checkout/mosquitto-1.3.2/src/ -I/home/openhab/checkout/mosquitto-1.3.2/lib/ -fPIC -Wall -Werror -DBE_MYSQLmysql_config --cflags-Icontrib/tinycdb-0.78// -I/usr/local/include/hiredis -I/usr/include -I/src -DDEBUG=1 -I/usr/include/openssl/include -c -o be-ldap.o be-ldap.c
(cd contrib/tinycdb-0.78; make libcdb.a cdb )
make[1]: Entering directory/home/openhab/checkout/mosquitto-auth-plug/contrib/tinycdb-0.78' cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_init.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_find.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_findnext.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_seq.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_seek.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_unpack.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_make_add.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_make_put.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_make.c cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb_hash.c rm -f libcdb.a ar rv libcdb.a cdb_init.o cdb_find.o cdb_findnext.o cdb_seq.o cdb_seek.o cdb_unpack.o cdb_make_add.o cdb_make_put.o cdb_make.o cdb_hash.o ar: creating libcdb.a a - cdb_init.o a - cdb_find.o a - cdb_findnext.o a - cdb_seq.o a - cdb_seek.o a - cdb_unpack.o a - cdb_make_add.o a - cdb_make_put.o a - cdb_make.o a - cdb_hash.o ranlib libcdb.a cc -fPIC -O -D_FILE_OFFSET_BITS=64 -c cdb.c cc -fPIC -o cdb cdb.o libcdb.a make[1]: Leaving directory /home/openhab/checkout/mosquitto-auth-plug/contrib/tinycdb-0.78'
cc -fPIC -shared auth-plug.o base64.o pbkdf2-check.o log.o hash.o be-psk.o be-cdb.o be-mysql.o be-sqlite.o be-redis.o be-postgres.o be-ldap.o -o auth-plug.so -L/usr/include/openssl/lib -lcrypto contrib/tinycdb-0.78/libcdb.amysql_config --libs -lpq -Lcontrib/tinycdb-0.78 -lcdb -lsqlite3 -L/usr/local/lib -lhiredis -L/usr/lib -lldap -llber -L/usr/include/openssl/lib -lcrypto -L/home/openhab/checkout/mosquitto-1.3.2/lib/ -lmosquitto
/usr/bin/ld: cannot find -lpq
/usr/bin/ld: cannot find -lsqlite3
/usr/bin/ld: cannot find -lhiredis
/usr/bin/ld: cannot find -lldap
/usr/bin/ld: cannot find -llber
/usr/bin/ld: cannot find -lmosquitto
collect2: ld returned 1 exit status
make: *** [auth-plug.so] Error 1

What do I need to do to have the compiler find these libraries?

Thanks in advance!

mosquitto_pub -t /test -m ciao
produce segfault:

Using host libthread_db library "/lib64/libthread_db.so.1".
1416706120: mosquitto version 1.3.5 (build date 2014-10-08 22:06:55+0000) starting
1416706120: Config loaded from /etc/mosquitto/mosquitto.conf.
1416706120: |-- *** auth-plug: startup
1416706120: |-- ** Configured order: http

1416706120: |-- getuser_uri=/auth
1416706120: |-- superuser_uri=/superuser
1416706120: |-- aclcheck_uri=/acl
1416706120: Opening ipv4 listen socket on port 1883.
1416706120: Opening ipv6 listen socket on port 1883.
1416706127: New connection from 192.168.1.172 on port 1883.
1416706127: New client connected from 192.168.1.172 as mosqpub/3837-asus-pat1 (c1, k60).
1416706127: Sending CONNACK to mosqpub/3837-asus-pat1 (0)
1416706127: |-- mosquitto_auth_acl_check(..., mosqpub/3837-asus-pat1, NULL, /test, MOSQ_ACL_WRITE)

Program received signal SIGSEGV, Segmentation fault.
0x00000036157398cf in __strlen_sse42 () from /lib64/libc.so.6
(gdb) where
#0 0x00000036157398cf in __strlen_sse42 () from /lib64/libc.so.6
#1 0x00007ffff7baa780 in hexify (clientid=0x652460 "mosqpub/3837-asus-pat1", username=0x0, topic=0x650b60 "/test", access=2,

hex=0x7fffffffd2c0 "`\ve") at cache.c:64

#2 0x00007ffff7babfd8 in cache_q (clientid=0x652460 "mosqpub/3837-asus-pat1", username=0x0, topic=0x650b60 "/test", access=2,

userdata=0x64dd20) at cache.c:144

#3 0x00007ffff7ba84df in mosquitto_auth_acl_check (userdata=0x64dd20, clientid=0x652460 "mosqpub/3837-asus-pat1",

username=0x0, topic=0x650b60 "/test", access=2) at auth-plug.c:440

#4 0x000000000040fbcb in ?? ()
#5 0x000000000040f255 in ?? ()
#6 0x000000000040b212 in ?? ()
#7 0x000000000040401b in ?? ()
#8 0x0000003615621b45 in __libc_start_main () from /lib64/libc.so.6
#9 0x0000000000404139 in ?? ()

Using the configuration from examples/mosquitto-mysql.conf when I publish to the topic I got denied but I still can subscribe without any problem.

Hi, i followed #33 but no luck. Any help appreciated.

1422608200: mosquitto version 1.3.5 (build date 2015-01-29 19:51:52+0200) starting
1422608200: Config loaded from mosquitto.conf.
LOADERROR /usr/lib/x86_64-linux-gnu/auth-plug.so: undefined symbol: deflate
1422608200: Error: Unable to load auth plugin "/usr/lib/x86_64-linux-gnu/auth-plug.so".

System Info:

• OS: Ubuntu 14.04.1 LTS
• Linux 3.13.0-44-generic x86_64 GNU/Linux
• package: zlib1g-dev / Status: install ok installed

ldd /usr/local/sbin/mosquitto
linux-vdso.so.1 => (0x00007fff840ef000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6a3c388000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6a3c082000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6a3be79000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f6a3bc1b000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f6a3b841000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6a3b47a000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6a3c5a8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f6a3b25c000)

ldd auth-plug.so
linux-vdso.so.1 => (0x00007fff83fba000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f526b99c000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f526b5d6000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f526b3d1000)
/lib64/ld-linux-x86-64.so.2 (0x00007f526c29c000)

cat config.mk
BACKEND_CDB ?= no
BACKEND_MYSQL ?= yes
BACKEND_SQLITE ?= no
BACKEND_REDIS ?= no
BACKEND_POSTGRES ?= no
BACKEND_LDAP ?= no
BACKEND_HTTP ?= no

MOSQUITTO_SRC = /home/gkraggel/Downloads/mosquitto/mosquitto-1.3.5

OPENSSLDIR = /usr/include/openssl

locate zlib.h
/usr/include/zlib.h
/usr/src/linux-headers-3.13.0-32/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/crypto/zlib.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/jffs2/zlib.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/squashfs/zlib.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/ubifs/fs/zlib.h
/usr/src/linux-headers-3.13.0-32-generic/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-40/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-40-generic/include/config/crypto/zlib.h
/usr/src/linux-headers-3.13.0-40-generic/include/config/jffs2/zlib.h
/usr/src/linux-headers-3.13.0-40-generic/include/config/squashfs/zlib.h
/usr/src/linux-headers-3.13.0-40-generic/include/config/ubifs/fs/zlib.h
/usr/src/linux-headers-3.13.0-40-generic/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-43/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-43-generic/include/config/crypto/zlib.h
/usr/src/linux-headers-3.13.0-43-generic/include/config/jffs2/zlib.h
/usr/src/linux-headers-3.13.0-43-generic/include/config/squashfs/zlib.h
/usr/src/linux-headers-3.13.0-43-generic/include/config/ubifs/fs/zlib.h
/usr/src/linux-headers-3.13.0-43-generic/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-44/include/linux/zlib.h
/usr/src/linux-headers-3.13.0-44-generic/include/config/crypto/zlib.h
/usr/src/linux-headers-3.13.0-44-generic/include/config/jffs2/zlib.h
/usr/src/linux-headers-3.13.0-44-generic/include/config/squashfs/zlib.h
/usr/src/linux-headers-3.13.0-44-generic/include/config/ubifs/fs/zlib.h
/usr/src/linux-headers-3.13.0-44-generic/include/linux/zlib.h

Feature request :)

Once again put forward this problem because in mosquitto - 1.3.5 appeared, I modified according to # 39, but did not succeed, and you said to modify "WITH_SRV =" NO "is only in the mosquitto or auth - there are in the plugin, if the latter, I'm holding owe, I didn't find it

What is the difference between a superuser and a static superuser?

undefined symbol: ares_library_init (./auth-plug.so)
undefined symbol: ares_library_cleanup (./auth-plug.so)

Redis adds moving parts to the infrastructure. Maybe add CDB support as a lightweight constant db.

In which case, I'd rename the plugin to something more generic.

Another option, particularly for huge environments: LMDB

If I subscribe a superuser to /location/# the subscriber will not receive messages publishes to /location/foo or /location/bar. Subscribing directly to /location/bar and /location/foo works however.

Is this an intended behaviour?

Inspired by this we could add a libcurl-based REST API of some sort.

Good night,

after setting up correctly my bridged mosquitto architecture and the mosquitto-auth-plug, I've tried to set topics in 'acls' table that include %d and %u, thinking that maybe it would work fine, the same way that # and + do. But it does not seems to work.

Are you thinking on implementing this feature in a near future. It whould be very useful!!

Best regards and... thank you for this really good job!!

PS: os maybe it works and I'm doing it the wrong way.

Hi,
I'm running your auth plugin since november with mysql based autentication.
These days I'm starting to get "nord is -1: unpossible!" error, then all other autentication fail.

Here is the log:
1426542924: New connection from 188.216.166.aaa on port 1884.
1426542924: |-- mosquitto_auth_unpwd_check(USER_NOT_IN_DB)
1426542924: |-- ** checking backend mysql
1426542924: |-- getuser(USER_NOT_IN_DB) AUTHENTICATED=0 by none
1426542928: New connection from 188.216.166.aaa on port 1884.
1426542928: |-- mosquitto_auth_unpwd_check(USER_NOT_IN_DB)
1426542928: |-- ** checking backend mysql
1426542928: |-- getuser(USER_NOT_IN_DB) AUTHENTICATED=0 by none
1426542937: New connection from 188.216.166.aaa on port 1884.
1426542937: |-- mosquitto_auth_unpwd_check(USER_NOT_IN_DB)
1426542937: |-- ** checking backend mysql
1426542937: |-- getuser(USER_NOT_IN_DB) AUTHENTICATED=0 by none
1426542938: |-- mosquitto_auth_acl_check(..., CLIENT_XX, USER_OK_1, TOPIC_1_1_OK, 2)
1426542938: |-- nord is -1: unpossible!
1426542968: New connection from 188.216.166.aaa on port 1884.
1426542968: |-- mosquitto_auth_unpwd_check(USER_NOT_IN_DB)
1426542968: |-- ** checking backend mysql
1426542968: |-- getuser(USER_NOT_IN_DB) AUTHENTICATED=0 by none
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_1_OK, 2)
1426542976: |-- nord is -1: unpossible!
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_2_OK, 2)
1426542976: |-- nord is -1: unpossible!
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_3_OK, 2)
1426542976: |-- nord is -1: unpossible!
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_4_OK, 2)
1426542976: |-- nord is -1: unpossible!
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_5_OK, 2)
1426542976: |-- nord is -1: unpossible!
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_6_OK, 2)
1426542976: |-- nord is -1: unpossible!
1426542976: |-- mosquitto_auth_acl_check(..., CLIENT_YY, USER_OK_2, TOPIC_2_7_OK, 2)

I think the problem starts when USER_NOT_IN_DB try to connect.
Here is configuration quey:
auth_opt_userquery SELECT passwordpbkdf2 FROM User WHERE username = '%s';
auth_opt_superquery SELECT IFNULL(COUNT(*), 0) FROM User WHERE username = '%s' AND superuser = 1

Upon starting the ldapbindpw is displayed in clear text in syslog.

Hi,

I'm having problems getting auth-plug to work on my new 13.10 x64 machine. I have tried loading from /usr/lib and /usr/lib/x86_64-linux-gnu

ldd from the lib is:

linux-vdso.so.1 => (0x00007fffc5ede000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f108bf31000)
libmysqlclient.so.18 => /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18 (0x00007f108b9f9000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f108b630000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f108b42c000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f108b213000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f108aff5000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f108acf1000)
/lib64/ld-linux-x86-64.so.2 (0x00007f108c533000)

and from mosquitto:

linux-vdso.so.1 => (0x00007fff495fe000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f0626cf0000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f06269ec000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f06267e3000)
libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f06265d9000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f062637b000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f0625f9e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0625bd6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0626f0b000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f06259b9000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f062579e000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f0625585000)

I'm now using Mosquitto 1.3.1

Any ideas?

Thanks,

Ian

PBKDF2$sha256$901$pN94c3+KCcNvIV1v$LWEyzG6v/gtvTrjx551sNcWWfwIZKAg0

Hi,
I have done some tests. It's working excellent. But i've found something, I don't know if it is a bug or is just not implemented.
If a user has no ACL permission he may subscribe as read on any existent or inexistent topic.
When the user subscribes I get

1418921109: New connection from 192.168.1.1 on port 1883.
1418921109: |-- mosquitto_auth_unpwd_check(mihai)
1418921109: |-- ** checking backend mysql
1418921109: |-- getuser(mihai) AUTHENTICATED=1 by mysql
1418921109: New client connected from 192.168.1.1 as mosqsub/42087-mihais-ma (c1, k60, umihai).
1418921109: Sending CONNACK to mosqsub/42087-mihais-ma (0)
1418921109: Received SUBSCRIBE from mosqsub/42087-mihais-ma
1418921109: test/test (QoS 0)
1418921109: mosqsub/42087-mihais-ma 0 test/test
1418921109: Sending SUBACK to mosqsub/42087-mihais-ma

and the aclcheck step is not there.
Thank you

Required for Redis, MySQL, LDAP

handle reconnections

Step to reproduce:

use mysql db, have table user and acls

1. create 2 users, for example: sub, pub
2. create a topic in acls, for example: test, sub can subscribe and pub can publish
3. connect with user "sub"
4. publish a message with user "pub", then user "sub" can receive the topic message
5. connect with user "xx" which the wrong user
6. publish a message with user "pub", then user "sub" can't receive the topic message

due to userdata-> authentication_be is equal -1, the plugin call mosquitto_auth_unpwd_check to check user "xx" will set that variable to -1

Summary

Setup client(a) <----> mosq(a) <----> mosq(b) <----> client(b)

Bridging in one direction seems to work fine. The issue seems to come about when publishing to a server that is bridged and hasn't published anything yet. If you bring up mosquitto on mosq(a) and mosq(b) where mosq(a) has two connections defined (an in and an out) if it receives on the in before the out the process Seg Faults.

It looks, based on the memory address, that the pointer is in protected memory space. I am really not a C++ guy so I am sorry I am not much help here. Mosq(a) is an embedded debian host running on an arm platform and mosq(b) is on an intel platform.

The versions on both servers are the same auth-plug from master yesterday.

mosquitto version 1.3 (build date 2014-03-25 02:40:13+0000)
mosquitto is an MQTT v3.1 broker.

mosq(a) configuration

# Global options
retry_interval 5
sys_interval 10
persistence true 
autosave_interval 1800
persistent_client_expiration 1m
persistence_location /var/lib/mosquitto/
queue_qos0_messages true


# Multiple log_dest supported

log_dest syslog
log_dest stdout

listener 1883
listener 1884

# topic logs to the broker topic '$SYS/broker/log/<severity>',
# where severity is one of D, E, W, N, I, M which are debug, error,

log_dest topic

# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, all.

log_type all

# Authentication config
auth_plugin /var/lib/mosquitto/auth-plug.so
auth_opt_backends redis
auth_opt_host localhost
auth_opt_port 6379

connection toCloud
address 10.0.0.7
username ***
password ***
restart_timeout 5
topic /remote/# out "" ""

connection fromCloud
address 10.0.0.7
username ***
password ***
restart_timeout 5
topic /remote/test/control in "" ""

mosq(b) config

# Global options
retry_interval 5
sys_interval 10
persistence true # for whatever reason this breaks shit
autosave_interval 1800
persistent_client_expiration 1m
persistence_location /var/lib/mosquitto/
upgrade_outgoing_qos true
queue_qos0_messages true

# Multiple log_dest supported

log_dest syslog
log_dest stdout

listener 1883
listener 1884

# topic logs to the broker topic '$SYS/broker/log/<severity>',
# where severity is one of D, E, W, N, I, M which are debug, error,

log_dest topic

# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, all.

log_type all

# Authentication config
auth_plugin /var/lib/mosquitto/auth-plug.so
auth_opt_backends mysql
auth_opt_host localhost
auth_opt_port 3306
auth_opt_dbname mqtt_auth
auth_opt_user ***
auth_opt_pass ***
auth_opt_userquery SELECT password FROM users WHERE username = '%s'
auth_opt_superquery SELECT COUNT(*) FROM users WHERE username = '%s' AND super = 1
auth_opt_aclquery SELECT topic FROM acls WHERE (username = '%s') AND (rw & 1)

connection bridge
clientid bridge
address localhost:1884
topic #  in "" /bridge
username ***
password ***
#restart_timeout 5
#start_type automatic
#try_private false
cleansession true
#connection_messages true
max_connections -1

gdb output

root@monolith:/usr/local# gdb
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
(gdb) exec-file /usr/local/sbin/mosquitto 
(gdb) handle SIGILL nostop noprint
Signal        Stop  Print   Pass to program Description
SIGILL        No    No  Yes     Illegal instruction
(gdb) run -c /etc/mosquitto/mosquitto.conf
Starting program: /usr/local/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
1395917698: mosquitto version 1.3 (build date 2014-03-27 00:13:27+0000) starting
1395917698: Config loaded from /etc/mosquitto/mosquitto.conf.
*** auth-plug: backend=BACKEND
1395917698: |-- AuthOptions: key=backends, val=redis
1395917698: |-- AuthOptions: key=host, val=localhost
1395917698: |-- AuthOptions: key=port, val=6379
** Configured order: redis
1395917698: |-- }}}} Redis
1395917698: Opening ipv4 listen socket on port 1883.
1395917698: Opening ipv6 listen socket on port 1883.
1395917698: Opening ipv4 listen socket on port 1884.
1395917698: Opening ipv6 listen socket on port 1884.
1395917698: Bridge monolith.toCloud doing local SUBSCRIBE on topic /remote/#
1395917698: Connecting bridge toCloud (10.0.0.7:1883)
1395917698: Error creating bridge: Connection refused.
1395917698: Warning: Unable to connect to bridge toCloud.
1395917698: Connecting bridge fromCloud (10.0.0.7:1883)
1395917698: Error creating bridge: Connection refused.
1395917698: Warning: Unable to connect to bridge fromCloud.
1395917703: Bridge monolith.toCloud doing local SUBSCRIBE on topic /remote/#
1395917703: Connecting bridge toCloud (10.0.0.7:1883)
1395917703: Error creating bridge: Connection refused.
1395917703: Connecting bridge fromCloud (10.0.0.7:1883)
1395917703: Error creating bridge: Connection refused.
1395917709: Bridge monolith.toCloud doing local SUBSCRIBE on topic /remote/#
1395917709: Connecting bridge toCloud (10.0.0.7:1883)
1395917709: Bridge monolith.toCloud sending CONNECT
1395917709: Connecting bridge fromCloud (10.0.0.7:1883)
1395917709: Bridge monolith.fromCloud sending CONNECT
1395917709: Received CONNACK on connection monolith.toCloud.
1395917709: Bridge monolith.toCloud sending UNSUBSCRIBE (Mid: 32, Topic: /remote/#)
1395917709: Received PUBACK from monolith.toCloud (Mid: 31)
1395917709: Received CONNACK on connection monolith.fromCloud.
1395917709: Bridge monolith.fromCloud sending SUBSCRIBE (Mid: 2, Topic: /remote/test/control, QoS: 0)
1395917709: Received UNSUBACK from monolith.toCloud
1395917709: Received PUBACK from monolith.fromCloud (Mid: 1)
1395917709: Received SUBACK from monolith.fromCloud
1395917713: |-- user bridge was authenticated in back-end 16 (<nil>)

Program received signal SIGSEGV, Segmentation fault.
0xb6fd65bc in mosquitto_auth_acl_check (userdata=0x38560, clientid=0x38ff8 "monolith.toCloud", username=0x351f0 "bridge", topic=0x36ed8 "/remote/test/control", access=2) at auth-plug.c:369
369     match = (*bep)->aclcheck((*bep)->conf, username, topic, access);
(gdb)