MariaDB since version 5.2 is include MariaDB PAM auth plugin, in this article i using MariaDB-Galera_Cluster-10.0.21 and i will show how to configure auth with OpenLDAP

we assuming database servers already configure connect to OpenLDAP server

Make sure you can search ldap with ldapsearch

# ldapsearch -x -LLL -b dc=yess,dc=com
dn: dc=yess,dc=com
dc: yess
o: yess
objectClass: dcObject
objectClass: organization

dn: ou=users,dc=yess,dc=com
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=yess,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=erick,ou=groups,dc=yess,dc=com
cn: erick
objectClass: top
objectClass: posixGroup
gidNumber: 5000

dn: uid=erick,ou=users,dc=yess,dc=com
cn:: RXJpY2sgU2FwdXRyYQk=
givenName: Erick
sn: Saputra
uid: erick
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/erick
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword:: e1NTSEF9bis1ZHExZ1NTUWJtUzAyN1VUbExySy9VczBjMDE5YzI=

dn: cn=boby,ou=groups,dc=yess,dc=com
cn: boby
objectClass: top
objectClass: posixGroup
gidNumber: 5001

dn: uid=venkatn,ou=users,dc=yess,dc=com
cn: Boby Aja
givenName: Boby
sn: Aja
uid: boby
uid: venkatn
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/boby
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword:: e0NSWVBUfSo=

dn: cn=joni,ou=groups,dc=yess,dc=com
cn: joni
objectClass: top
objectClass: posixGroup
gidNumber: 5002

dn: uid=joni,ou=users,dc=yess,dc=com
cn: Joni Aja
givenName: Joni
sn: Aja
uid: joni
uidNumber: 5002
gidNumber: 5002
homeDirectory: /home/joni
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword:: e1NTSEF9b0k1K3d3L0lXUnF5YkN2cjZtc290UldVQS9lbEN5ZzI=

MariaDB Configuration
To setup MariaDB follow the instructions from http://dev.mysql.com/doc/refman/5.5/en/pam-authentication-plugin.html

into my.cnf add the line

pam-use-cleartext-plugin
plugin-load	= auth_pam.so

and restart service mysql

# service mysql restart

create PAM file with name mysql, corresponding with name of mysql service. now i will use auth without proxy user, because pam auth have two method. with proxy user to anonymous user or whithout proxy user

# vi /etc/pam.d/mysql
#%PAM-1.0
auth            include         password-auth
account         include         password-auth

Open up access to /etc/shadow
The pam_unix.so PAM module usually uses the unix_chkpwd utility to handle the authentication. This utility requires read access to /etc/shadow, which is usually unreadable for security reasons. To get PAM authentication to work with MariaDB, you will probably have to allow the mysql user to read this file. This is very easy to do:

# groupadd shadow
# usermod -a -G shadow mysql
# chown root:shadow /etc/shadow
# chmod g+r /etc/shadow

don’t forget to disabled Selinux on CentOS or RedHat varian

next step create user into mysql prompt, the user account must corresponding with user name on LDAP server

mysql> create user 'erick'@'localhost' identified with pam as 'mysql';
mysql> grant insert, update, delete, select on *.* to 'erick'@'localhost';
mysql> create user 'joni'@'localhost' identified with pam as 'mysql';
mysql> grant select on *.* to 'joni'@'localhost';
mysql> flush privileges;
mysql> quit

now login to mysql with your LDAP username and password

$ mysql -u erick -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.0.21-MariaDB-wsrep-log MariaDB Server, wsrep_25.10.r4144

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

MariaDB [(none)]> SELECT USER(), CURRENT_USER();
+-----------------+-----------------+
| USER()          | CURRENT_USER()  |
+-----------------+-----------------+
| erick@localhost | erick@localhost |
+-----------------+-----------------+
1 row in set (0.00 sec)

the auth user with LDAP server is success
reference : https://mariadb.com/blog/configuring-pam-authentication-and-user-mapping-mariadb
: http://dev.mysql.com/doc/refman/5.5/en/pam-authentication-plugin.html
: http://www.arubin.org/blog/2012/07/16/mysql-pam-ldap-authentication-module-configuration/

Advertisements