1 of 1

Configuring PAM Authentication and User Mapping with Unix Authentication

This guide shows how to authenticate database users using local Unix accounts and map Unix groups to MariaDB users with the PAM plugin.

We walk through the configuration of PAM authentication using the pam authentication plugin and user and group mapping with the pam_user_map PAM module. The primary authentication will be handled by the pam_unix PAM module, which performs standard Unix password authentication.

Hypothetical Requirements

In this walkthrough, we are going to assume the following hypothetical requirements:

The Unix user foo should be mapped to the MariaDB user bar. (foo: bar)
Any Unix user in the Unix group dba should be mapped to the MariaDB user dba. (@dba: dba)

Creating Our Unix Users and Groups

Let's go ahead and create the Unix users and groups that we are using for this hypothetical scenario.

First, let's create the foo user and a couple users to go into the dba group. Note that each of these users needs a password.

Next, let's create the dba group and add our two users to it:

We also need to create Unix users with the same name as the bar and dba MariaDB users. See to read more about why. No one will be logging in as these users, so they do not need passwords.

Installing the pam_user_map PAM Module

Next, let's .

Before the module can be compiled from source, we may need to install some dependencies.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install gcc and pam-devel:

On Debian, Ubuntu, and other similar Linux distributions that use , we need to install gcc and libpam0g-dev:

And then we can build and install the library with the following:

Configuring the pam_user_map PAM Module

Next, let's based on our hypothetical requirements.

The configuration file for the pam_user_map PAM module is /etc/security/user_map.conf. Based on our hypothetical requirements, ours would look like:

Installing the PAM Authentication Plugin

Next, let's .

Log into the MariaDB Server and execute the following:

Configuring the PAM Service

Next, let's . We will call our service mariadb, so our PAM service configuration file will be located at /etc/pam.d/mariadb on most systems.

Since we are only doing Unix authentication with the pam_unix PAM module and group mapping with the pam_user_map PAM module, our configuration file would look like this:

Configuring the pam_unix PAM Module

The pam_unix PAM module adds on a lot of systems. We basically have to give the user that runs mysqld access to /etc/shadow.

If the mysql user is running mysqld, then we can do that by executing the following:

The server needs to be restarted for this change to take affect.

Creating MariaDB Users

Next, let's . Remember that our PAM service is called mariadb.

First, let's create the MariaDB user for the user mapping: foo: bar . This means we need to create a bar user:

Next, let's create the MariaDB user for the group mapping: @dba: dba . This means that we need to create a dba user:

Next, to allow for the user and group mapping, we need to that is also able to PROXY as the bar and dba users. Before we can create the proxy user, we might need to :

Finally, let's create the anonymous proxy user:

Testing our Configuration

Next, let's test out our configuration by . We can verify this by logging in as each of our users and comparing the return value of , which is the original user name and the return value of , which is the authenticated user name.

First, let's test our foo user:

We can verify that our foo Unix user was properly mapped to the bar MariaDB user by looking at the return value of CURRENT_USER().

Next, let's test our alice user in the dba group:

Finally, let's test our bob user in the dba group:

We can verify that our alice and bob Unix users in the dba Unix group were properly mapped to the dba MariaDB user by looking at the return values of CURRENT_USER().

_{This page is licensed: CC BY-SA / Gnu FDL}

Configuring PAM Authentication and User Mapping with Unix Authentication

This guide shows how to authenticate database users using local Unix accounts and map Unix groups to MariaDB users with the PAM plugin.

Hypothetical Requirements

In this walkthrough, we are going to assume the following hypothetical requirements:

The Unix user foo should be mapped to the MariaDB user bar. (foo: bar)
Any Unix user in the Unix group dba should be mapped to the MariaDB user dba. (@dba: dba)

Creating Our Unix Users and Groups

Let's go ahead and create the Unix users and groups that we are using for this hypothetical scenario.

First, let's create the foo user and a couple users to go into the dba group. Note that each of these users needs a password.

Next, let's create the dba group and add our two users to it:

We also need to create Unix users with the same name as the bar and dba MariaDB users. See to read more about why. No one will be logging in as these users, so they do not need passwords.

Installing the pam_user_map PAM Module

Next, let's .

Before the module can be compiled from source, we may need to install some dependencies.

On RHEL, CentOS, and other similar Linux distributions that use , we need to install gcc and pam-devel:

On Debian, Ubuntu, and other similar Linux distributions that use , we need to install gcc and libpam0g-dev:

And then we can build and install the library with the following:

Configuring the pam_user_map PAM Module

Next, let's based on our hypothetical requirements.

The configuration file for the pam_user_map PAM module is /etc/security/user_map.conf. Based on our hypothetical requirements, ours would look like:

Installing the PAM Authentication Plugin

Next, let's .

Log into the MariaDB Server and execute the following:

Configuring the PAM Service

Next, let's . We will call our service mariadb, so our PAM service configuration file will be located at /etc/pam.d/mariadb on most systems.

Since we are only doing Unix authentication with the pam_unix PAM module and group mapping with the pam_user_map PAM module, our configuration file would look like this:

Configuring the pam_unix PAM Module

The pam_unix PAM module adds on a lot of systems. We basically have to give the user that runs mysqld access to /etc/shadow.

If the mysql user is running mysqld, then we can do that by executing the following:

The server needs to be restarted for this change to take affect.

Creating MariaDB Users

Next, let's . Remember that our PAM service is called mariadb.

First, let's create the MariaDB user for the user mapping: foo: bar . This means we need to create a bar user:

Next, let's create the MariaDB user for the group mapping: @dba: dba . This means that we need to create a dba user:

Next, to allow for the user and group mapping, we need to that is also able to PROXY as the bar and dba users. Before we can create the proxy user, we might need to :

Finally, let's create the anonymous proxy user:

Testing our Configuration

First, let's test our foo user:

We can verify that our foo Unix user was properly mapped to the bar MariaDB user by looking at the return value of CURRENT_USER().

Next, let's test our alice user in the dba group:

Finally, let's test our bob user in the dba group:

We can verify that our alice and bob Unix users in the dba Unix group were properly mapped to the dba MariaDB user by looking at the return values of CURRENT_USER().

_{This page is licensed: CC BY-SA / Gnu FDL}