Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14124

pam_user_map plugin doesn't work on RH7

    XMLWordPrintable

    Details

      Description

      We have working MariaDB AD authentication on RH 6 using pam_ldap, where AD accounts are mapped to MariaDB proxy users as per /etc/security/user_map.conf.

      Since we are now migrating to RH 7, pam_ldap seems to be no longer supported and is replaced by nss-pam-ldapd, so we tried to use pam_sssd and nlscd for the purpose with RedHat support assistance without luck.

      The issue seems that pam_sssd tries to authenticate the proxied user to AD which apparently fails. Same happens when using nslcd.

      Does pam_user_map module work with RedHat 7, or does the module need to be updated?

      RH7, not working config:

      /etc/sssd/sssd.conf

      [sssd]
      config_file_version = 2
      domains = default
      services = nss, pam, autofs
       
      [domain/default]
      id_provider = ldap
      auth_provider = ldap
      chpass_provider = ldap
      ldap_uri = ldap://aluww01.emea.convergys.com/
      ldap_id_use_start_tls = False
      ldap_tls_cacert = /etc/ssl/certs/convergys_root_ca.pem
      ldap_referrals = False
      ldap_default_bind_dn = svc_icdial@emea.convergys.com
      ldap_default_authtok_type = password
      ldap_default_authtok = XXXXXXXX
      ldap_search_base = dc=emea,dc=convergys,dc=com
      ldap_schema = ad
      ldap_id_mapping = True
      debug_level = 0
       
      ldap_tls_cacertdir = /etc/openldap/cacerts
      autofs_provider = ldap
      krb5_realm = CONVERGYS.COM
      cache_credentials = True
      [nss]
      [pam]
      [autofs]
      

      /etc/security/user_map.conf :

      itau6125: dbuser_dba
      

      /etc/pam.d/mysql:

      auth required pam_sss.so
      account required pam_sss.so
      auth required pam_user_map.so
      

      /var/log/secure:

      Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:auth): authentication success; logname= uid=27 euid=27 tty= ruser= rhost= user=itau6125
      Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:account): Access denied for user dbuser_dba: 10 (User not known to the underlying authentication module)
      

      Working config on all our 20+ RH 6 MariaDB servers using pam_ldap openldap openldap-clients pam-devel:

      /etc/pam.d/mysql :

      auth required pam_ldap.so
      account required pam_ldap.so
      auth required pam_user_map.so
      

      /etc/openldap/ldap.conf

      TLS_CACERTDIR /etc/openldap/cacerts
      TLS_CACERT /etc/ssl/certs/convergys_root_ca.pem
      

      /etc/pam_ldap.conf :

      tls_cacertfile /etc/ssl/certs/cert.pem
      debug 1
      base dc=convergys,dc=com
      binddn XXXXXXXX
      bindpw XXXXXXXX
      uri ldaps://XXX.XX.convergys.com:3269
      ssl yes
      referrals no
      pam_member_attribute member
      pam_login_attribute sAMAccountName
      pam_filter objectclass=User
      pam_password ad
      

      yum install pam_ldap openldap openldap-clients pam-devel
      mkdir -p /usr/src/mariadb-map-plugin
      cd /usr/src/mariadb-map-plugin
      wget https://raw.githubusercontent.com/MariaDB/server/10.1/plugin/auth_pam/mapper/pam_user_map.c
      gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
      install --mode=0755 pam_user_map.so /lib64/security/
      

      In mysql/MariaDB cli:

      INSTALL SONAME 'auth_pam';
      create user 'dbuser_dba'@'%' identified by 'XXX';
      create user 'dbuser_dm'@'%' identified by 'XXX';
      drop user ''@'%';
      drop user ''@localhost;
      FLUSH PRIVILEGES;
      CREATE USER ''@'%' IDENTIFIED with pam as 'mysql';
      FLUSH PRIVILEGES;
       
      GRANT ALL ON *.* TO 'dbuser_dba'@'%' WITH GRANT OPTION;
      GRANT SELECT ON asterisk.* TO 'dbuser_dm'@'%';
      GRANT REPLICATION CLIENT  ON *.* TO 'dbuser_dm'@'%';
      FLUSH PRIVILEGES;
      GRANT PROXY ON 'dbuser_dba'@'%' to ''@'';
      GRANT PROXY ON 'dbuser_dm'@'%' to ''@'';
      FLUSH PRIVILEGES;
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              itaushanov Iliya Taushanov
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration