Pam autentication with sssd and user proxy
99 views
Skip to first unread message
antonio falzarano
Feb 16, 2017, 12:32:35 PM2/16/17
to Percona Discussion
Hi,
i'm trying to use pam_auth plugin with my existing ldap configuration with sssd daemon.
I have setted file /etc/pam.d/mysqld with
and created a user with
with this configuration i can login with ldap user gino.
But if i try to use proxy user with mysql a can't login anymore:
this are the commands:
user gino was part of mysqlrw group inside ldap, and if do command id -gn gino response was mysqlrw too.
Anyone have a working environment with pam_auth plugin and ldap with proxy user ?
Thank you
Antonio
i'm trying to use pam_auth plugin with my existing ldap configuration with sssd daemon.
I have setted file /etc/pam.d/mysqld with
auth required pam_sss.so pam_unix.so audit
account required pam_sss.so pam_unix.so auditand created a user with
CREATE USER gino IDENTIFIED WITH auth_pam;with this configuration i can login with ldap user gino.
But if i try to use proxy user with mysql a can't login anymore:
this are the commands:
CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld, mysqlrw=mysqlrw_usr'
CREATE USER mysqlrw_usr IDENTIFIED BY 'XXXXX'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, FILE, ALTER, SHOW DATABASES on *.* TO mysqlrw_usr
FLUSH PRIVILEGESuser gino was part of mysqlrw group inside ldap, and if do command id -gn gino response was mysqlrw too.
Anyone have a working environment with pam_auth plugin and ldap with proxy user ?
Thank you
Antonio
Andrew Garner
Feb 16, 2017, 2:50:32 PM2/16/17
to percona-d...@googlegroups.com
I've done this with MariaDB, which should be fairly similar. Looks
like you are missing a GRANT PROXY. I suppose you want something
like:
GRANT PROXY ON 'mysqlrw_usr'@'%' TO ''@'';
Just a warning, you'll probably want to require SSL or restrict users
to "localhost" to prevent your passwords flying around in the clear.
Also your use of "FLUSH PRIVILEGES" is unnecessary.
~Andrew
> --
> You received this message because you are subscribed to the Google Groups
> "Percona Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to percona-discuss...@googlegroups.com.
> To post to this group, send email to percona-d...@googlegroups.com.
> Visit this group at https://groups.google.com/group/percona-discussion.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/percona-discussion/66059e1d-d7c2-4b64-8c81-5d6c1e15ab40%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
like you are missing a GRANT PROXY. I suppose you want something
like:
GRANT PROXY ON 'mysqlrw_usr'@'%' TO ''@'';
Just a warning, you'll probably want to require SSL or restrict users
to "localhost" to prevent your passwords flying around in the clear.
Also your use of "FLUSH PRIVILEGES" is unnecessary.
~Andrew
> You received this message because you are subscribed to the Google Groups
> "Percona Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to percona-discuss...@googlegroups.com.
> To post to this group, send email to percona-d...@googlegroups.com.
> Visit this group at https://groups.google.com/group/percona-discussion.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/percona-discussion/66059e1d-d7c2-4b64-8c81-5d6c1e15ab40%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
antonio falzarano
Feb 20, 2017, 6:31:10 AM2/20/17
to Percona Discussion
Hi Andrew,
thank you for the answer, sorry that i have missed grant proxy on my post but i have did it inside my server.
I found that my problem was matching group setted inside anonymous user
thank you for the answer, sorry that i have missed grant proxy on my post but i have did it inside my server.
I found that my problem was matching group setted inside anonymous user
CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld, mysqlrw=mysqlrw_usr'
if i used group matching, login doesn't works anymore.
If i use anonymous user without group login with ldap works
CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld'So i found this cool guide that use pam_user_map.so to map groups that works with Mysql too
http://www.geoffmontee.com/configuring-ldap-authentication-and-group-mapping-with-mariadb/I changed mysql pam configuration to work with pam_sss instead pam_ldap, so i replaced pam_ldap with pam_sss
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_user_map.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_unix.so broken_shadow
And now all seems works very well, with ldap (freeipa) group matching
Hi hope this post help other people, because i spent a lot of time to understand all pieces.
Antonio
> email to percona-discussion+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages