Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30384

Group mapping with pam_user_map does not work for ldap nested groups

    XMLWordPrintable

Details

    Description

      It is possible to map LDAP users to mysql users with the pam_user_map module. It is also possible to map LDAP group members to mysql users. See: MDEV-10871

      However. It is possible to nest groups in other groups. For example:

      User "foo" can be a member of the group "dba". Now you can map the group "dba" to the mysql-user "bar" like this in /etc/security/user_map.conf:

      @dba: bar
      

      This is OK and is working fine. The user "foo" will be mapped to the user "bar" because of his membership in the group "dba".

      auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'foo'.
      auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 1 groups [dba].
      auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES
      auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar'
      

      Now i have a group called "admins". And i want all "admins" members to have the same permissions like the users in the "dba" group. Instead of adding every member of the group "admins" to the group "dba" it is possible to add the group "admins" to the group "dba".

      Like:

      group "dba"
              \
                        member "foo", group "admins"
                                                      \
                                                                             member: "donald"
      

      For this it is neccaserry to set "nss_nested_groups yes" in the nscld.conf

      I can see in the pam debug log that the mapping is working like for the "foo" user:

      auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'donald'.
      auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 2 groups [admins,dba].
      auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES
      auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar'
      phpMyAdmin[178422]: user denied: donald (mysql-denied) from 127.0.0.1
      
      

      So i looks like the user is correctly mapped by PAM but still can't login to mysql.

      To give an example:

      PAM configuration:

      cat /etc/pam.d/mariadb 
       
      auth required pam_ldap.so try_first_pass
      auth required pam_user_map.so debug
      account required pam_permit.so
      

      User Mapping:

      cat /etc/security/user_map.conf 
      @dba: bar
      

      NSLCD Config:
      cat /etc/nslcd.conf (excerpt)

      # Nested Groups, yes please!
      nss_nested_groups yes
       
      # filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
      filter passwd (&(objectClass=user)(!(objectClass=computer)))
      map    passwd uid              sAMAccountName
      map    passwd homeDirectory    unixHomeDirectory
      map    passwd gecos            displayName
      map    passwd gidNumber        primaryGroupID
      filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
      map    shadow uid              sAMAccountName
      map    shadow shadowLastChange pwdLastSet
      filter group  (objectClass=group)
      

      I dont't know enough about PAM or LDAP to be sure the issue is caused by mariadb or by the mapping plugin.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              fup_cri Christian Rilke
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.