[MDEV-30384] Group mapping with pam_user_map does not work for ldap nested groups Created: 2023-01-11  Updated: 2023-02-03

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System, Plugin - pam
Affects Version/s: 10.6.11
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Christian Rilke Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: ldap, pam, pam_user_map
Environment:

Debian 11

Issue Links:
Relates
relates to MDEV-10871 Add logging capability to pam_user_map.c Closed

 Description   

It is possible to map LDAP users to mysql users with the pam_user_map module. It is also possible to map LDAP group members to mysql users. See: MDEV-10871

However. It is possible to nest groups in other groups. For example:

User "foo" can be a member of the group "dba". Now you can map the group "dba" to the mysql-user "bar" like this in /etc/security/user_map.conf:

@dba: bar

This is OK and is working fine. The user "foo" will be mapped to the user "bar" because of his membership in the group "dba".

auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'foo'.
 
auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 1 groups [dba].
 
auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES
 
auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar'

Now i have a group called "admins". And i want all "admins" members to have the same permissions like the users in the "dba" group. Instead of adding every member of the group "admins" to the group "dba" it is possible to add the group "admins" to the group "dba".

Like:

group "dba"
 
        \
 
                  member "foo", group "admins"
 
                                                \
 
                                                                       member: "donald"

For this it is neccaserry to set "nss_nested_groups yes" in the nscld.conf

I can see in the pam debug log that the mapping is working like for the "foo" user:

auth_pam_tool: pam_user_map(mariadb:auth): Incoming username 'donald'.
 
auth_pam_tool: pam_user_map(mariadb:auth): User belongs to 2 groups [admins,dba].
 
auth_pam_tool: pam_user_map(mariadb:auth): Check if user is in group 'dba': YES
 
auth_pam_tool: pam_user_map(mariadb:auth): User mapped as 'bar'
 
phpMyAdmin[178422]: user denied: donald (mysql-denied) from 127.0.0.1

So i looks like the user is correctly mapped by PAM but still can't login to mysql.

To give an example:

PAM configuration:

cat /etc/pam.d/mariadb 
 
 
auth required pam_ldap.so try_first_pass
 
auth required pam_user_map.so debug
 
account required pam_permit.so

User Mapping:

cat /etc/security/user_map.conf 
@dba: bar

NSLCD Config:
cat /etc/nslcd.conf (excerpt)

# Nested Groups, yes please!
 
nss_nested_groups yes
 
 
 
# filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
 
filter passwd (&(objectClass=user)(!(objectClass=computer)))
 
map    passwd uid              sAMAccountName
 
map    passwd homeDirectory    unixHomeDirectory
 
map    passwd gecos            displayName
 
map    passwd gidNumber        primaryGroupID
 
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
 
map    shadow uid              sAMAccountName
 
map    shadow shadowLastChange pwdLastSet
 
filter group  (objectClass=group)

I dont't know enough about PAM or LDAP to be sure the issue is caused by mariadb or by the mapping plugin.
Generated at Thu Feb 08 10:15:50 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.