1 of 1

Configuring PAM Authentication and User Mapping with LDAP Authentication

Learn to configure the PAM plugin to authenticate users via LDAP and map LDAP groups to MariaDB accounts using the pam_user_map module.

In this article, we will walk through the configuration of PAM authentication using the pam authentication plugin and user and group mapping with the pam_user_map PAM module. The primary authentication will be handled by the pam_ldap PAM module, which performs LDAP authentication. We will also set up an OpenLDAP server.

Hypothetical Requirements

In this walkthrough, we are going to assume the following hypothetical requirements:

The LDAP user foo should be mapped to the MariaDB user bar. (foo: bar)
Any LDAP user in the LDAP group dba should be mapped to the MariaDB user dba. (@dba: dba)

Setting up the OpenLDAP Server

Before we can use LDAP authentication, we first need to set up our OpenLDAP Server. This is usually done on a server that is completely separate from the database server.

Installing the OpenLDAP Server and Client Components

On the server acting as the OpenLDAP Server, first, we need to install the OpenLDAP components.

On RHEL, CentOS, and other similar Linux distributions that use , that would go like this:

Configuring the OpenLDAP Server

Next, let's to configure the OpenLDAP Server. The easiest way to do that is to copy the template configuration file that is included with the installation. In many installations, that will be at /usr/share/openldap-servers/DB_CONFIG.example:

Configuring the OpenLDAP Port

Sometimes it is useful to change the port used by OpenLDAP. For example, some cloud environments block well-known authentication services, so they block the default LDAP port.

On some systems, the port can be changed by setting SLAPD_URLS in /etc/sysconfig/slapd:

I used 3306 because that is the port that is usually used by mysqld, so I know that it is not blocked.

Starting the OpenLDAP Server

Next, let's start the OpenLDAP Server and configure it to start on reboot. On systems, that would go like this:

Installing the Standard LDAP objectClasses

In order to use LDAP for authentication, we also need to install some standard objectClasses, such as posixAccount and posixGroup. In LDAP, things like objectClasses are defined in files. In many installations, these specific objectClasses are defined in /etc/openldap/schema/nis.ldif. nis.ldif also depends on core.ldif and cosine.ldif. However, core.ldif is usually installed by default.

We can install them with :

Creating the LDAP Directory Manager User

Next, let’s create a directory manager user. We can do this by using OpenLDAP's configuration system to change the directive to the DN of the directory manager user, which means that the user will be a privileged LDAP user that is not subject to access controls. We will also set the root password for the user by changing the directive.

We will also set the DN suffix for our backend LDAP database by changing the directive.

Let’s use the utility to generate a password hash from a clear-text password. Simply execute:

This utility provides a password hash that looks like this: {SSHA}AwT4jrvmokeCkbDrFAnGvzzjCMb7bvEl

OpenLDAP's configuration system also uses files. Now that we have the password hash, let’s create an LDIF file to create the directory manager user:

Note that this is using the dc=support,dc=mariadb,dc=com domain for the directory. You can change it to whatever is relevant to you.

Now let’s run the ldif file with :

We will use the new directory manager user to make changes to the LDAP directory after this step.

Creating the Structure of the Directory

Next, let's create the structure of the directory by creating parts of our tree.

Now, let’s use our new directory manager user and run the file with :

Creating the LDAP Users and Groups

Let's go ahead and create the LDAP users and groups that we are using for this scenario.

First, let's create the foo user:

Next, let's create a couple of users to go into the dba group:

Note that each of these users needs a password, so we can set it for each user with :

Next, let's create our dba group:

Next, let's add our two users to it:

We also need to create LDAP users with the same name as the bar and dba MariaDB users. See to read more about the reasons to do so. No one will be logging in as these users, so they do not need passwords. Instead of the People organizationalUnit, we create them in the System Users organizationalUnit.

Setting up the MariaDB Server

At this point, we can move on to setting up the MariaDB Server.

Installing LDAP and PAM Libraries

First, we need to make sure that the LDAP and PAM libraries are installed.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install the following packages:

Configuring LDAP

Next, let's configure LDAP on the system. We can use for this:

Be sure to replace -–ldapserver and -–ldapbasedn with values that are relevant for your environment.

Installing the pam_user_map PAM Module

The pam_user_map PAM module is included in the base install. No installation is needed.

Next, let's .

Before the module can be compiled from source, we may need to install some dependencies.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install gcc and pam-devel:

On Debian, Ubuntu, and other similar Linux distributions that use , we need to install gcc and libpam0g-dev:

Configuring the pam_user_map PAM Module

Next, let's based on our hypothetical requirements.

The configuration file for the pam_user_map PAM module is /etc/security/user_map.conf. Based on our requirements, ours would look like:

Installing the PAM Authentication Plugin

Next, let's .

Log into the MariaDB Server and execute the following:

Configuring the PAM Service

For modern Linux distributions (like RHEL 8 and newer) that use SSSD (System Security Services Daemon) to connect to an LDAP provider, the pam_sss.so module is the modern equivalent of pam_ldap.so. In such a configuration, pam_sss.so replaces pam_ldap.so. For more information, please see the .

Next, let's . We will call our service mariadb, so our PAM service configuration file will be located at /etc/pam.d/mariadb on most systems.

Configuring PAM to Allow Only LDAP Authentication

Since we are only doing LDAP authentication with the PAM module and group mapping with the pam_user_map PAM module, our configuration file would look like this:

Configuring PAM to Allow LDAP and Local Unix Authentication

If we want to allow authentication from LDAP users and from local Unix users through , while giving priority to the local users, then we could do this instead:

Configuring the pam_unix PAM Module

If you also want to allow authentication from local Unix users, the pam_unix PAM module adds on a lot of systems. We basically have to give the user that runs mysqld access to /etc/shadow.

If the mysql user is running mysqld, then we can do that by executing the following:

The server needs to be restarted for this change to take affect.

Creating MariaDB Users

Next, let's . Remember that our PAM service is called mariadb.

First, let's create the MariaDB user for the user mapping: foo: bar

That means that we need to create a bar user:

And then let's create the MariaDB user for the group mapping: @dba: dba

That means that we need to create a dba user:

And then to allow for the user and group mapping, we need to that is also able to PROXY as the bar and dba users. Before we can create the proxy user, we might need to :

And then let's create the anonymous proxy user:

Testing our Configuration

Next, let's test our configuration by . We can verify this by logging in as each of our users and comparing the return value of , which is the original user name and the return value of , which is the authenticated user name.

Testing LDAP Authentication

First, let's test our foo user:

We can verify that our foo LDAP user was properly mapped to the bar MariaDB user by looking at the return value of .

Then let's test our gmontee user in the dba group:

And then let's test our bstillman user in the dba group:

We can verify that our gmontee and bstillman LDAP users in the dba LDAP group were properly mapped to the dba MariaDB user by looking at the return values of CURRENT_USER().

Testing Local Unix Authentication

If you chose the option that also allowed local Unix authentication, then let's test that out. Let's create a Unix user and give the user a password real quick:

And let's also map this user to dba:

And we know that the existing anonymous user already has the PROXY privilege granted to the dba user, so this should just work without any other configuration. Let's test it out:

We can verify that our alice Unix user was properly mapped to the dba MariaDB user by looking at the return values of .

Integrating with MariaDB MaxScale

If you are connecting to MariaDB Server through MariaDB MaxScale, it is also recommended to configure the proxy to authenticate users via .

_{This page is licensed: CC BY-SA / Gnu FDL}

Configuring PAM Authentication and User Mapping with LDAP Authentication

Learn to configure the PAM plugin to authenticate users via LDAP and map LDAP groups to MariaDB accounts using the pam_user_map module.

Hypothetical Requirements

In this walkthrough, we are going to assume the following hypothetical requirements:

The LDAP user foo should be mapped to the MariaDB user bar. (foo: bar)
Any LDAP user in the LDAP group dba should be mapped to the MariaDB user dba. (@dba: dba)

Setting up the OpenLDAP Server

Before we can use LDAP authentication, we first need to set up our OpenLDAP Server. This is usually done on a server that is completely separate from the database server.

Installing the OpenLDAP Server and Client Components

On the server acting as the OpenLDAP Server, first, we need to install the OpenLDAP components.

On RHEL, CentOS, and other similar Linux distributions that use , that would go like this:

Configuring the OpenLDAP Server

Configuring the OpenLDAP Port

Sometimes it is useful to change the port used by OpenLDAP. For example, some cloud environments block well-known authentication services, so they block the default LDAP port.

On some systems, the port can be changed by setting SLAPD_URLS in /etc/sysconfig/slapd:

I used 3306 because that is the port that is usually used by mysqld, so I know that it is not blocked.

Starting the OpenLDAP Server

Next, let's start the OpenLDAP Server and configure it to start on reboot. On systems, that would go like this:

Installing the Standard LDAP objectClasses

We can install them with :

Creating the LDAP Directory Manager User

We will also set the DN suffix for our backend LDAP database by changing the directive.

Let’s use the utility to generate a password hash from a clear-text password. Simply execute:

This utility provides a password hash that looks like this: {SSHA}AwT4jrvmokeCkbDrFAnGvzzjCMb7bvEl

OpenLDAP's configuration system also uses files. Now that we have the password hash, let’s create an LDIF file to create the directory manager user:

Note that this is using the dc=support,dc=mariadb,dc=com domain for the directory. You can change it to whatever is relevant to you.

Now let’s run the ldif file with :

We will use the new directory manager user to make changes to the LDAP directory after this step.

Creating the Structure of the Directory

Next, let's create the structure of the directory by creating parts of our tree.

Now, let’s use our new directory manager user and run the file with :

Creating the LDAP Users and Groups

Let's go ahead and create the LDAP users and groups that we are using for this scenario.

First, let's create the foo user:

Next, let's create a couple of users to go into the dba group:

Note that each of these users needs a password, so we can set it for each user with :

Next, let's create our dba group:

Next, let's add our two users to it:

Setting up the MariaDB Server

At this point, we can move on to setting up the MariaDB Server.

Installing LDAP and PAM Libraries

First, we need to make sure that the LDAP and PAM libraries are installed.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install the following packages:

Configuring LDAP

Next, let's configure LDAP on the system. We can use for this:

Be sure to replace -–ldapserver and -–ldapbasedn with values that are relevant for your environment.

Installing the pam_user_map PAM Module

The pam_user_map PAM module is included in the base install. No installation is needed.

Next, let's .

Before the module can be compiled from source, we may need to install some dependencies.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install gcc and pam-devel:

On Debian, Ubuntu, and other similar Linux distributions that use , we need to install gcc and libpam0g-dev:

Configuring the pam_user_map PAM Module

Next, let's based on our hypothetical requirements.

The configuration file for the pam_user_map PAM module is /etc/security/user_map.conf. Based on our requirements, ours would look like:

Installing the PAM Authentication Plugin

Next, let's .

Log into the MariaDB Server and execute the following:

Configuring the PAM Service

Next, let's . We will call our service mariadb, so our PAM service configuration file will be located at /etc/pam.d/mariadb on most systems.

Configuring PAM to Allow Only LDAP Authentication

Since we are only doing LDAP authentication with the PAM module and group mapping with the pam_user_map PAM module, our configuration file would look like this:

Configuring PAM to Allow LDAP and Local Unix Authentication

If we want to allow authentication from LDAP users and from local Unix users through , while giving priority to the local users, then we could do this instead:

Configuring the pam_unix PAM Module

If you also want to allow authentication from local Unix users, the pam_unix PAM module adds on a lot of systems. We basically have to give the user that runs mysqld access to /etc/shadow.

If the mysql user is running mysqld, then we can do that by executing the following:

The server needs to be restarted for this change to take affect.

Creating MariaDB Users

Next, let's . Remember that our PAM service is called mariadb.

First, let's create the MariaDB user for the user mapping: foo: bar

That means that we need to create a bar user:

And then let's create the MariaDB user for the group mapping: @dba: dba

That means that we need to create a dba user:

And then to allow for the user and group mapping, we need to that is also able to PROXY as the bar and dba users. Before we can create the proxy user, we might need to :

And then let's create the anonymous proxy user:

Testing our Configuration

Testing LDAP Authentication

First, let's test our foo user:

We can verify that our foo LDAP user was properly mapped to the bar MariaDB user by looking at the return value of .

Then let's test our gmontee user in the dba group:

And then let's test our bstillman user in the dba group:

We can verify that our gmontee and bstillman LDAP users in the dba LDAP group were properly mapped to the dba MariaDB user by looking at the return values of CURRENT_USER().

Testing Local Unix Authentication

If you chose the option that also allowed local Unix authentication, then let's test that out. Let's create a Unix user and give the user a password real quick:

And let's also map this user to dba:

And we know that the existing anonymous user already has the PROXY privilege granted to the dba user, so this should just work without any other configuration. Let's test it out:

We can verify that our alice Unix user was properly mapped to the dba MariaDB user by looking at the return values of .

Integrating with MariaDB MaxScale

If you are connecting to MariaDB Server through MariaDB MaxScale, it is also recommended to configure the proxy to authenticate users via .

_{This page is licensed: CC BY-SA / Gnu FDL}