This is getting more and more common, so I wanted to provide the steps required to get LDAP authentication working with MariaDB PAM plugin.
Unless you’re already familiar with setting up the MariaDB PAM plugin, I’d first recommend getting this to work with a standard Linux user (steps 1-4), then once all is working fine, progress to the LDAP users (steps 5-10). (And if you do not want to test this for the Linux user account, then you may skip steps #2 and #3.)
- Enable plugin by running the following from the command line
client:
INSTALL SONAME 'auth_pam';
You should see an entry like this afterward in SHOW PLUGINS:
| pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
- Create the mysql user account (note it does not have a
password, as it will obtain this from your Linux user, and
eventually the LDAP account) and provide it with the GRANTS you
want it to have:
CREATE USER 'chris'@'localhost' IDENTIFIED VIA pam USING 'mariadb'; GRANT ALL ON db1.* TO 'chris'@'localhost';
Note “mariadb” is the PAM service name I’ve specified. It is good to specify this so you don’t overwrite the existing default policy (in case it is being used).
- Create PAM policy in “/etc/pam.d/mariadb” (ensure readable
and ensure the file name, “mariadb”, matches the PAM service name
you specified for your user in the above step):
auth required pam_unix.so account required pam_unix.so
(Restart MariaDB instance afterward.)
Then, you should be able to connect via the command line with (assuming you have a Linux user ‘chris’):
mysql -u chris -p
This should allow you to login. Now you can move on to integrating LDAP.
- Verify the LDAP user exists with:
shell> id chris
It should return uid, gid, groups, etc.
- If using the MySQL client, you’ll need to enable the clear
text plugin:
[mysqld] pam_use_cleartext_plugin
If you need to do this, it is recommended you begin using SSL connections, if not already.
Also, you’ll need to reboot after this change, but wait until after step #6.
- We need to edit the PAM policy in “/etc/pam.d/mariadb” to:
auth required pam_ldap.so account required pam_ldap.so
(We’re basically just replacing “pam_unix.so” with “pam_ldap.so”.)
Now, restart MariaDB.
- Next, you need to ensure that you have libpam-ldap/openldap
installed (so you have “pam_ldap.so”, that is the key).
You can install this on RedHat/CentOS with the following:
# yum install openldap openldap-clients
- After that, you’ll need to configure /etc/ldap.conf. Here is
a sample configuration:
debug 10 # set debug level only during the initial configuration base dc=corp,dc=company_name,dc=com binddn cn=service_account,OU=Service Accounts,OU=US Security,DC=corp,DC=company_name,DC=com bindpw <password> timelimit 120 idle_timelimit 3600 uri ldaps://<LDAP URL>:<LDAP PORT>
And if using Active Directory, you should also add these lines:
pam_login_attribute samaccountname pam_member_attribute member nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad
Note I obtained the sample ldap.conf from this Alexander Rubin post.
- After that, make sure you can connect to ldap and that you
can search ldap with ldapsearch, which you can verify with:
shell> telnet <ldap server> <ldap password> (this should report "connected") shell> ldapsearch –w <password for bind user> -x –D 'cn=USER,OU=People...' "(&(ObjectClass=user)(cn=USERNAME))"
- After this, things should be all set up, as the plugin is
installed properly, the user has been created in MariaDB, we’ve
installed pam_ldap.so, we’ve updated /etc/pam.d/mariadb to use
the pam_ldap.so instead of the pam_unix.so, and created the
appropriate ldap.conf. Thus you should be able to login with the
following (this time assuming “chris” is an LDAP user account):
mysql -u chris -p
If you want to know more about user mapping, you should read this post by Geoff Montee as well as this post by Alexander Rubin.
I hope this helps.