Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not a Bug
-
10.1.28
-
RedHat 7
Description
We have working MariaDB AD authentication on RH 6 using pam_ldap, where AD accounts are mapped to MariaDB proxy users as per /etc/security/user_map.conf.
Since we are now migrating to RH 7, pam_ldap seems to be no longer supported and is replaced by nss-pam-ldapd, so we tried to use pam_sssd and nlscd for the purpose with RedHat support assistance without luck.
The issue seems that pam_sssd tries to authenticate the proxied user to AD which apparently fails. Same happens when using nslcd.
Does pam_user_map module work with RedHat 7, or does the module need to be updated?
RH7, not working config:
/etc/sssd/sssd.conf
[sssd]
|
config_file_version = 2 |
domains = default |
services = nss, pam, autofs
|
|
|
[domain/default] |
id_provider = ldap
|
auth_provider = ldap
|
chpass_provider = ldap
|
ldap_uri = ldap://aluww01.emea.convergys.com/ |
ldap_id_use_start_tls = False
|
ldap_tls_cacert = /etc/ssl/certs/convergys_root_ca.pem
|
ldap_referrals = False
|
ldap_default_bind_dn = svc_icdial@emea.convergys.com |
ldap_default_authtok_type = password
|
ldap_default_authtok = XXXXXXXX
|
ldap_search_base = dc=emea,dc=convergys,dc=com
|
ldap_schema = ad
|
ldap_id_mapping = True
|
debug_level = 0 |
|
|
ldap_tls_cacertdir = /etc/openldap/cacerts
|
autofs_provider = ldap
|
krb5_realm = CONVERGYS.COM
|
cache_credentials = True
|
[nss]
|
[pam]
|
[autofs]
|
/etc/security/user_map.conf :
itau6125: dbuser_dba
|
/etc/pam.d/mysql:
auth required pam_sss.so
|
account required pam_sss.so
|
auth required pam_user_map.so
|
/var/log/secure:
Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:auth): authentication success; logname= uid=27 euid=27 tty= ruser= rhost= user=itau6125 |
Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:account): Access denied for user dbuser_dba: 10 (User not known to the underlying authentication module) |
Working config on all our 20+ RH 6 MariaDB servers using pam_ldap openldap openldap-clients pam-devel:
/etc/pam.d/mysql :
auth required pam_ldap.so
|
account required pam_ldap.so
|
auth required pam_user_map.so
|
/etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
|
TLS_CACERT /etc/ssl/certs/convergys_root_ca.pem
|
/etc/pam_ldap.conf :
tls_cacertfile /etc/ssl/certs/cert.pem
|
debug 1 |
base dc=convergys,dc=com
|
binddn XXXXXXXX
|
bindpw XXXXXXXX
|
uri ldaps://XXX.XX.convergys.com:3269 |
ssl yes
|
referrals no
|
pam_member_attribute member
|
pam_login_attribute sAMAccountName
|
pam_filter objectclass=User
|
pam_password ad
|
yum install pam_ldap openldap openldap-clients pam-devel
|
mkdir -p /usr/src/mariadb-map-plugin
|
cd /usr/src/mariadb-map-plugin
|
wget https://raw.githubusercontent.com/MariaDB/server/10.1/plugin/auth_pam/mapper/pam_user_map.c |
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
|
install --mode=0755 pam_user_map.so /lib64/security/ |
In mysql/MariaDB cli:
INSTALL SONAME 'auth_pam'; |
create user 'dbuser_dba'@'%' identified by 'XXX'; |
create user 'dbuser_dm'@'%' identified by 'XXX'; |
drop user ''@'%'; |
drop user ''@localhost; |
FLUSH PRIVILEGES;
|
CREATE USER ''@'%' IDENTIFIED with pam as 'mysql'; |
FLUSH PRIVILEGES;
|
|
|
GRANT ALL ON *.* TO 'dbuser_dba'@'%' WITH GRANT OPTION; |
GRANT SELECT ON asterisk.* TO 'dbuser_dm'@'%'; |
GRANT REPLICATION CLIENT ON *.* TO 'dbuser_dm'@'%'; |
FLUSH PRIVILEGES;
|
GRANT PROXY ON 'dbuser_dba'@'%' to ''@''; |
GRANT PROXY ON 'dbuser_dm'@'%' to ''@''; |
FLUSH PRIVILEGES;
|
Attachments
Issue Links
- duplicates
-
-
- Closed
-