Would the PAM options that currently exist be able to solve this problem?

Hi Markus,

We are expecting the logins for the below screenshot.

The PAM authentication should work with the GUI users as well, they use the same REST API mechanism. Have you tried it out already or do you know of any problems with it?

Hi Markus,

For DB we have done it but GUI users not done yet. Can you please give us some steps so that I will try for GUI login as well.

I think all you need to do is to put the PAM service you want to use in admin_pam_readwrite_service and then configure PAM authentication on the system like you'd normally do. Note that the current implementation only supports PAM modules that exchange a single password.

Thank you Markus, let me check and update you once its done.

Hi Markus,

I tried what you suggested but no luck, I am unable to login to the Maxscale GUI.

[maxscale]
threads = 4
admin_host = test1234
admin_port = 8989
auth_read_timeout = 10000s
auth_connect_timeout = 10000s
admin_secure_gui = false
log_info=1
syslog=1
log_debug=1
admin_pam_readwrite_service = 1

I have added the admin_pam_readwrite_service in the maxscale.cnf file and I have done the below steps.

1. yum install gcc pam-devel
2. wget https://raw.githubusercontent.com/MariaDB/server/10.4/plugin/auth_pam/mapper/pam_user_map.c
3. gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
4. sudo install --mode=0755 pam_user_map.so /lib64/security/
5. cat /etc/pam.d/maxscale
auth required pam_winbind.so
auth required pam_user_map.so debug
account required pam_permit.so
6. /etc/security/user_map.conf

Can you please help on this, anything I have missed here?

You'll need to use a PAM service from /etc/pam.d/ as the argument for admin_pam_readwrite_service. I'm assuming the 1 is not a valid PAM service name.

For example, here's what I put into /etc/pam.d/maxscale:

auth            required        pam_unix.so

account         required        pam_unix.so

It uses the local UNIX account as the authentication method. Then I added admin_pam_readwrite_service=maxscale under the [maxscale] section and created a UNIX user called maxscale-admin and set the password to good-password. After this I was able to log in to the GUI with the credentials. Since this was done using pam_unix, the user running MaxScale must be able to read /etc/shadow to be able to authenticate the user logging in (I ran MaxScale as root).

As for other PAM services and their configuration, this isn't really something that can be explained in Jira comments.

Hi Markus,

I am getting the below errors.

warning: PAM authentication of user 'aduser' to service 'maxscale' failed: 'Authentication failure'.
warning: Authentication failed for 'aduser', using password. Request: GET /auth

Can we have steps for this how to configure with AD user?

Unfortunately that is not something I can help you with.

I'll close this issue since the PAM authentication itself works with the GUI. If you'd like some improvements to be made to it to make AD work, please submit a feature request with those specific details included in it.

Hi Markus,

Issue is resolved as I gave wrong user group in the /etc/security/user_map.conf file, now its working fine after changing the proper user group.