percona-pam-for-mysql

Bug #988694
Comment #16

Comment 16 for bug 988694

Revision history for this message

Predrag Zecevic (predrag-zecevic) wrote on 2012-12-17:

#16

I have to report some progress here:

Used bzr to get source and have compiled it. Then i have installed it onto one server. That was easy part.

Moreover, i DOES proper authorization against LDAP and that part is working fine (single user use).

What is NOT working is use of MySQL proxy users (http://dev.mysql.com/doc/mysql-security-excerpt/5.5/en/pam-authentication-plugin-usage.html#pam-authentication-unix-with-proxy)

I have spend hours looking for solution, and it is still not clear me how user mapping has to be done...

My Setup on MySQL server side:
---8<---
mysql> CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysql, mysql_ro=readonly';
mysql> CREATE USER 'readonly'@'localhost' IDENTIFIED BY 'very secret password';
mysql> GRANT SELECT ON *.* TO 'readonly'@'localhost';
mysql> GRANT PROXY ON 'readonly'@'localhost' TO ''@'';
---8<---
In LDAP i have my posixAccount setup (and posixGroup). Bu, another LDAP posixGroup is created:
---8<---
dn: cn=mysql_ro,ou=Groups,dc=my-domain,dc=com
cn: mysql_ro
gidnumber: 223
memberuid: predrag_zecevic
objectclass: posixGroup
objectclass: top
---8<---
Is this OK? I would expect PAM plugin to check not only primary group but also secondary groups...

Then, when i connect to MySQL server, following attributes are asked from LDAP server:
---8<---
[17/Dec/2012:12:03:28 +0100] conn=40649 op=1 SRCH base="dc=my-domain,dc=com" scope=2 filter="(uid=predrag_zecevic)" attrs="host authorizedService shadowExpi
re shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber"
[17/Dec/2012:12:03:28 +0100] conn=40649 op=1 RESULT err=0 tag=101 nentries=1 etime=0
---8<---

So, it has returned NO groups at all (although it has matched my account) and whole thing fails:
---8<---
mysql -hmy-host -upredrag_zecevic -pmy-password -e "SELECT USER(), CURRENT_USER(), @@proxy_user;"
+----------------------------------------+----------------+--------------+
| USER() | CURRENT_USER() | @@proxy_user |
+----------------------------------------+----------------+--------------+
| <email address hidden> | @ | NULL |
+----------------------------------------+----------------+--------------+
---8<---
I guess that mapping wasn't done at all: mysql> CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysql, mysql_ro=readonly';
and proxy user is not in use.

Do you have any idea how to fix this problem?

I am not sure if i have set LDAP entries (that is 389-DS from Fedora Project) for group mapping properly.
Documentation on Percona site is not of big usability...

Many thanks for any suggestion, from anybody.

Regards.

I have to report some progress here:

Used bzr to get source and have compiled it. Then i have installed it onto one server. That was easy part.

Moreover, i DOES proper authorization against LDAP and that part is working fine (single user use).

What is NOT working is use of MySQL proxy users (http://dev.mysql.com/doc/mysql-security-excerpt/5.5/en/pam-authentication-plugin-usage.html#pam-authentication-unix-with-proxy)

I have spend hours looking for solution, and it is still not clear me how user mapping has to be done...

So, it has returned NO groups at all (although it has matched my account) and whole thing fails:
---8<---
mysql -hmy-host -upredrag_zecevic -pmy-password -e "SELECT USER(), CURRENT_USER(), @@proxy_user;"
+----------------------------------------+----------------+--------------+
| USER()                                | CURRENT_USER() | @@proxy_user |
+----------------------------------------+----------------+--------------+
| predrag_zecevic@solarix.my-domain.com | @              | NULL         |
+----------------------------------------+----------------+--------------+
---8<---
I guess that mapping wasn't done at all: mysql> CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysql, mysql_ro=readonly';
and proxy user is not in use.

Do you have any idea how to fix this problem?

I am not sure if i have set LDAP entries (that is 389-DS from Fedora Project) for group mapping properly.
Documentation on Percona site is not of big usability...

Many thanks for any suggestion, from anybody.

Regards.