I'm trying to configure Percona with LDAP support via PAM including group mappings and restriction. My Percona authentication setup is as follows:
INSTALL PLUGIN pam SONAME 'auth_pam.so';
create user 'dba'@'%' IDENTIFIED WITH auth_pam AS 'mysql';
grant all privileges on *.* to 'dba'@'%' with grant option;
create user 'dbr'@'%' IDENTIFIED WITH auth_pam AS 'mysql';
grant select on *.* to 'dbr'@'%';
CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysql, sudo=dba, mysql=dbr';
GRANT PROXY ON 'dba'@'%' TO ''@'';
GRANT PROXY ON 'dbr'@'%' TO ''@'';
And in /etc/pam.d/mysql I have:
auth required pam_warn.so
auth required pam_ldap.so
account required pam_ldap.so
account required pam_succeed_if.so user ingroup mysql
With these in place, the following works:
- Log in as an LDAP user in sudo (and mysql), gain privileges of dba.
- Log in as an LDAP user in mysql, gain privileges of dbr.
- Attempt login with invalid username and/or password, get no access.
And the following behaviors are incorrect (should be refused login entirely):
- Log in as an LDAP user in sudo (but not mysql), still gain privileges of dba.
- Log in as an LDAP user in neither group, gain access with no privileges.
It took quite a while to eventually figure out that the configuration in /etc/pam.d/mysql is having no effect. The behavior is the same even when that file is not present.
My understanding is that the first value in the string mysql, sudo=dba, mysql=dbr tells Percona to use the PAM configuration in a file named mysql, and all tutorials show the filename resolving to /etc/pam.d/mysql.
What am I missing?
The issue turned out to be file permissions. When
/etc/pam.d/mysqlwas changed from0640to0644(o+r), the PAM configuration started affecting login as expected.