[MXS-4688] Xpand unable to authenticate native users with maxscale passthrough Created: 2023-07-31  Updated: 2023-09-13  Resolved: 2023-09-04

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: None
Fix Version/s: 23.08.0

Type: Bug Priority: Major
Reporter: Daman Saini (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None
Environment:

Xpand Build : transylvania-18710 (beta 1)
MaxScale :
https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_2807b/centos/7/x86_64/maxscale-99.99.99-1.rhel.7.x86_64.rpm


 Description   

With the authentication plugin set to clearpw_passthrouh, ldap users passed
through by maxscale are getting authenticated by xpand. But native xpand users
are not able to.

maxscale listner config:
==================
authenticator=pamauth
authenticator_options=pam_backend_mapping=clearpw_passthrough

client connection via maxscale
======================
[root@mcrae ~]# mysql --ssl -h mcrae -P 3307 -u xpanduser1 -ppassword
ERROR 1045 (HY000): [40960] Access denied: for user 'xpanduser1'@'10.2.12.190'
(using password: NO)

maxscale log:
==========
2023-07-31 11:00:37 info : (3) [MariaDBProtocol] Client from '10.2.12.190' is in progress of connecting to service 'Read-Only-Service' with SSL.
2023-07-31 11:00:37 info : (3) [MariaDBProtocol] Connection attributes: no attributes
2023-07-31 11:00:37 info : (3) [readconnroute] (Read-Only-Service); New session for server xpand1. Connections : 1
2023-07-31 11:00:37 info : (3) Started Read-Only-Service client session [3] for 'xpanduser1' from 10.2.12.190
2023-07-31 11:00:37 info : (3) Connected to 'xpand1' with thread id 318466
2023-07-31 11:00:37 error : (3) Authentication to 'xpand1' failed: 1045, #HY000: [40960] Access denied: for user 'xpanduser1'@'10.2.12.190' (using password: NO)
2023-07-31 11:00:37 error : (3) (Read-Only-Service); Authentication to 'xpand1' failed: 1045, #HY000: [40960] Access denied: for user 'xpanduser1'@'10.2.12.190' (using password: NO) (xpand1)
2023-07-31 11:00:37 info : (3) Stopped Read-Only-Service client session [3]
2023-07-31 11:00:37 info : Read 7 user@host entries from 'xpand1' for service 'Read-Only-Service'. The data was identical to existing user data.

Xpand log:
=======
2023-07-31 11:00:37.900626 UTC nid 2 oak012white.colo.sproutsys.com clxnode: INFO mysql/server/mysql_proto.c:180 auth_error(): Error authenticating Xpand user 'xpanduser1'@'10.2.12.190': Access denied: for user 'xpanduser1'@'10.2.12.190' (using password: NO)

With the above authentication settings we should allow both ldap and
native xpand users.

 Comments   
Comment by Daman Saini (Inactive) [ 2023-08-08 ]

New build was provided by esa.korhonen

A new test build is available: https://mdbe-ci-repo.mariadb.net/public/Maxscale/MXS-4506_0208/
The new build uses standard authentication, you need to remove
authenticator=pam from the listener.
And have the following setting:
authenticator_options=passthrough=true

Per QA susil.behera fix is working now
With the above build and settings, now both ldap and xpand users can successfully passthrough maxscale unto xpand.
Xpand build used was "Xpand-transylvania-18728"

Comment by Esa Korhonen [ 2023-09-04 ]

Fixed as part of MXS-4506

Comment by Daman Saini (Inactive) [ 2023-09-13 ]

In final build of 23.08.0 , Listener parameter for LDAP passthrough is changed to 

authenticator_options=clear_pw_passthrough=true

Generated at Thu Feb 08 04:30:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.