[MDEV-30384] Group mapping with pam_user_map does not work for ldap nested groups - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6.11
Fix Version/s: None
Component/s: Authentication and Privilege System, Plugin - pam
Labels:
- ldap
- pam
- pam_user_map
Environment:
Debian 11

Description

It is possible to map LDAP users to mysql users with the pam_user_map module. It is also possible to map LDAP group members to mysql users. See: ~~MDEV-10871~~

However. It is possible to nest groups in other groups. For example:

User "foo" can be a member of the group "dba". Now you can map the group "dba" to the mysql-user "bar" like this in /etc/security/user_map.conf:

@dba: bar

This is OK and is working fine. The user "foo" will be mapped to the user "bar" because of his membership in the group "dba".

auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'foo'.

auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 1 groups [dba].

auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES

auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar'

Now i have a group called "admins". And i want all "admins" members to have the same permissions like the users in the "dba" group. Instead of adding every member of the group "admins" to the group "dba" it is possible to add the group "admins" to the group "dba".

Like:

group "dba"

                  member "foo", group "admins"

                                                                       member: "donald"

For this it is neccaserry to set "nss_nested_groups yes" in the nscld.conf

I can see in the pam debug log that the mapping is working like for the "foo" user:

auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'donald'.

auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 2 groups [admins,dba].

auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES

auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar'

phpMyAdmin[178422]: user denied: donald (mysql-denied) from 127.0.0.1

So i looks like the user is correctly mapped by PAM but still can't login to mysql.

To give an example:

PAM configuration:

cat /etc/pam.d/mariadb

auth required pam_ldap.so try_first_pass

auth required pam_user_map.so debug

account required pam_permit.so

User Mapping:

cat /etc/security/user_map.conf

@dba: bar

NSLCD Config:
cat /etc/nslcd.conf (excerpt)

# Nested Groups, yes please!

nss_nested_groups yes

# filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

filter passwd (&(objectClass=user)(!(objectClass=computer)))

map    passwd uid              sAMAccountName

map    passwd homeDirectory    unixHomeDirectory

map    passwd gecos            displayName

map    passwd gidNumber        primaryGroupID

filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))

map    shadow uid              sAMAccountName

map    shadow shadowLastChange pwdLastSet

filter group  (objectClass=group)

I dont't know enough about PAM or LDAP to be sure the issue is caused by mariadb or by the mapping plugin.

Attachments

Issue Links

relates to

MDEV-10871 Add logging capability to pam_user_map.c

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Christian Rilke

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-01-11 17:56

Updated:: 2023-02-03 13:43

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.