[CONJ-725] Connection Failure for PAM user on 10.4 Created: 2019-08-15  Updated: 2019-09-13  Resolved: 2019-08-27

Status: Closed
Project: MariaDB Connector/J
Component/s: authentication
Affects Version/s: None
Fix Version/s: 2.4.4

Type: Bug Priority: Major
Reporter: Nicholas Denning Assignee: Diego Dupin
Resolution: Fixed Votes: 0
Labels: None
Environment:

Centos 7


 Description   

I was trialling 10.4 for our application which is a cloud based application running on AWS though our development environment is run under VMWare workstation 15.

In production we have an openldap server, a database server, a tomcat server and an http server all running on Linux though in development the http and tomcat servers are on Windows within the eclipse environment. Tomcat is running 7.0.90.

We have PAM configured on the database machine.

In production we have 10.2.28. I have been experimenting with upgrading to 10.3 and then to 10.4. Unfortunately when I upgrade to 10.4 I get a connection error when connecting with a user defined as PAM as a pooled connection.

A straight mysql -u user -p on the database server works fine.

Are there any known problems with PAM on 10.4? Or indeed any additional configurations required. Or issues with authentication around connection pooling from tomcat 7.0?

 Comments   
Comment by Sergei Golubchik [ 2019-08-16 ]

These pooled connections — what connector do they use?
Are they coming from tomcat? Using MariaDB Connector/J? What version?

Comment by Nicholas Denning [ 2019-08-17 ]

Sorry should have mentioned this.

I recently downloaded 2.4.2 and did all the obvious things like re-updating all the project build path libraries, re-generating all the projects and remembering to update the copy in the tomcat/lib directory.

The resource definition is as below.

<Resource name="jdbc/ipswichdb" auth="Container"
type="javax.sql.DataSource"
factory="uk.co.diegesis.ipswich.utils.IPDataSourceFactory"

testWhileIdle="true"
testOnBorrow="true"
testOnReturn="false"
validationQuery="SELECT 1"
validationInterval="120000"
timeBetweenEvictionRunsMillis="120000"
minIdle="10"
maxWait="60000"
initialSize="10"
removeAbandonedTimeout="420"
removeAbandoned="true"
logAbandoned="true"
minEvictableIdleTimeMillis="120000"
jmxEnabled="true"

logExpiredConnections="true"
logValidationErrors="true"

jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.ConnectionState;
org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer;
org.apache.tomcat.jdbc.pool.interceptor.StatementCache(prepared=true,callable=true,max=500)"

username="ipswichdba" password="<password>"
alternateUsernameAllowed="true"
driverClassName="org.mariadb.jdbc.Driver"
url="jdbc:mariadb://vmmadb01.diegesis.local:3306/ipswichdb"
maxActive="200" maxIdle="200"/>

note the datasourcefactory is just an extended class to encrypt / decrypt passwords so we don't have any passwords in clear in our files.

Comment by Sergei Golubchik [ 2019-08-18 ]

diego dupin, could you please verify/confirm that C/J still works with PAM authentication in 10.4?

if yes — please, reassign back to me, if not — move this to CONJ

Comment by Nicholas Denning [ 2019-08-18 ]

Note: the connector 2.4.2 works with PAM in 10.3.

Comment by Sergei Golubchik [ 2019-08-18 ]

Yes, there were changes in 10.4. Within the protocol specifications, but changing undocumented internal implementation details. For example, it broke MaxScale, that had its own connector and was somehow relying on these undocumented internal PAM implementation details.

Comment by Diego Dupin [ 2019-08-27 ]

reproduced. This comes from the fact that 10.4 PAM plugin now doesn't send any authentication plugin data in switch authentication packet.
Connector did expect data when plugin is PAM

Generated at Thu Feb 08 03:17:51 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.