Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6.11
-
None
-
Debian 11
Description
It is possible to map LDAP users to mysql users with the pam_user_map module. It is also possible to map LDAP group members to mysql users. See: MDEV-10871
However. It is possible to nest groups in other groups. For example:
User "foo" can be a member of the group "dba". Now you can map the group "dba" to the mysql-user "bar" like this in /etc/security/user_map.conf:
@dba: bar |
This is OK and is working fine. The user "foo" will be mapped to the user "bar" because of his membership in the group "dba".
auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'foo'. |
auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 1 groups [dba]. |
auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES |
auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar' |
Now i have a group called "admins". And i want all "admins" members to have the same permissions like the users in the "dba" group. Instead of adding every member of the group "admins" to the group "dba" it is possible to add the group "admins" to the group "dba".
Like:
group "dba" |
\
|
member "foo", group "admins" |
\
|
member: "donald" |
For this it is neccaserry to set "nss_nested_groups yes" in the nscld.conf
I can see in the pam debug log that the mapping is working like for the "foo" user:
auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'donald'. |
auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 2 groups [admins,dba]. |
auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES |
auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar' |
phpMyAdmin[178422]: user denied: donald (mysql-denied) from 127.0.0.1 |
|
So i looks like the user is correctly mapped by PAM but still can't login to mysql.
To give an example:
PAM configuration:
cat /etc/pam.d/mariadb
|
|
|
auth required pam_ldap.so try_first_pass
|
auth required pam_user_map.so debug
|
account required pam_permit.so
|
User Mapping:
cat /etc/security/user_map.conf
|
@dba: bar |
NSLCD Config:
cat /etc/nslcd.conf (excerpt)
# Nested Groups, yes please!
|
nss_nested_groups yes
|
|
|
# filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
|
filter passwd (&(objectClass=user)(!(objectClass=computer)))
|
map passwd uid sAMAccountName
|
map passwd homeDirectory unixHomeDirectory
|
map passwd gecos displayName
|
map passwd gidNumber primaryGroupID
|
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
|
map shadow uid sAMAccountName
|
map shadow shadowLastChange pwdLastSet
|
filter group (objectClass=group)
|
I dont't know enough about PAM or LDAP to be sure the issue is caused by mariadb or by the mapping plugin.
Attachments
Issue Links
- relates to
-
MDEV-10871 Add logging capability to pam_user_map.c
-
- Closed
-