# Configuring PAM Authentication and User Mapping with Unix Authentication
We walk through the configuration of PAM authentication using the [pam](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-with-pluggable-authentication-modules-pam/authentication-plugin-pam) authentication plugin and user and group mapping with the [pam\_user\_map](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-with-pluggable-authentication-modules-pam/user-and-group-mapping-with-pam) PAM module. The primary authentication will be handled by the [pam\_unix](https://linux.die.net/man/8/pam_unix) PAM module, which performs standard Unix password authentication.
## Hypothetical Requirements
In this walkthrough, we are going to assume the following hypothetical requirements:
* The Unix user `foo` should be mapped to the MariaDB user `bar`. (`foo: bar`)
* Any Unix user in the Unix group `dba` should be mapped to the MariaDB user `dba`. (`@dba: dba`)
## Creating Our Unix Users and Groups
Let's go ahead and create the Unix users and groups that we are using for this hypothetical scenario.
First, let's create the `foo` user and a couple users to go into the `dba` group. Note that each of these users needs a password.
```bash
sudo useradd foo
sudo passwd foo
sudo useradd alice
sudo passwd alice
sudo useradd bob
sudo passwd bob
```
Next, let's create the `dba` group and add our two users to it:
```bash
sudo groupadd dba
sudo usermod -a -G dba alice
sudo usermod -a -G dba bob
```
We also need to create Unix users with the same name as the `bar` and `dba` MariaDB users. See [here](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/user-and-group-mapping-with-pam#pam-user-with-same-name-as-mapped-mariadb-user-must-exist) to read more about why. No one will be logging in as these users, so they do not need passwords.
```bash
sudo useradd bar
sudo useradd dba -g dba
```
## Installing the pam\_user\_map PAM Module
Next, let's [install the pam\_user\_map PAM module](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/user-and-group-mapping-with-pam#installing-the-pam_user_map-pam-module).
Before the module can be compiled from source, we may need to install some dependencies.
On RHEL, CentOS, and other similar Linux distributions that use [RPM packages](https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/installing-mariadb/binary-packages/rpm), we need to install `gcc` and `pam-devel`:
```bash
sudo yum install gcc pam-devel
```
On Debian, Ubuntu, and other similar Linux distributions that use [DEB packages](https://mariadb.com/docs/server/server-management/install-and-upgrade-mariadb/installing-mariadb/binary-packages/installing-mariadb-deb-files), we need to install `gcc` and `libpam0g-dev`:
```
sudo apt-get install gcc libpam0g-dev
```
And then we can build and install the library with the following:
```bash
wget https://raw.githubusercontent.com/MariaDB/server/10.4/plugin/auth_pam/mapper/pam_user_map.c
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
sudo install --mode=0755 pam_user_map.so /lib64/security/
```
## Configuring the pam\_user\_map PAM Module
Next, let's [configure the pam\_user\_map PAM module](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/user-and-group-mapping-with-pam#configuring-the-pam_user_map-pam-module) based on our hypothetical requirements.
The configuration file for the `pam_user_map` PAM module is `/etc/security/user_map.conf`. Based on our hypothetical requirements, ours would look like:
```
foo: bar
@dba:dba
```
## Installing the PAM Authentication Plugin
Next, let's [install the pam authentication plugin](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-pam#installing-the-plugin).
Log into the MariaDB Server and execute the following:
```
INSTALL SONAME 'auth_pam';
```
## Configuring the PAM Service
Next, let's [configure the PAM service](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-pam#configuring-the-pam-service). We will call our service `mariadb`, so our PAM service configuration file will be located at `/etc/pam.d/mariadb` on most systems.
Since we are only doing Unix authentication with the `pam_unix` PAM module and group mapping with the `pam_user_map` PAM module, our configuration file would look like this:
```ini
auth required pam_unix.so audit
auth required pam_user_map.so
account required pam_unix.so audit
```
## Configuring the pam\_unix PAM Module
The `pam_unix` PAM module adds [some additional configuration steps](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-pam#configuring-the-pam-service) on a lot of systems. We basically have to give the user that runs `mysqld` access to `/etc/shadow`.
If the `mysql` user is running `mysqld`, then we can do that by executing the following:
```bash
sudo groupadd shadow
sudo usermod -a -G shadow mysql
sudo chown root:shadow /etc/shadow
sudo chmod g+r /etc/shadow
```
The server needs to be restarted for this change to take affect.
## Creating MariaDB Users
Next, let's [create the MariaDB users](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-plugin-pam#creating-users). Remember that our PAM service is called `mariadb`.
First, let's create the MariaDB user for the user mapping: `foo: bar` . This means we need to create a `bar` user:
```sql
CREATE USER 'bar'@'%' IDENTIFIED BY 'strongpassword';
GRANT ALL PRIVILEGES ON *.* TO 'bar'@'%' ;
```
Next, let's create the MariaDB user for the group mapping: `@dba: dba` . This means that we need to create a `dba` user:
```sql
CREATE USER 'dba'@'%' IDENTIFIED BY 'strongpassword';
GRANT ALL PRIVILEGES ON *.* TO 'dba'@'%' ;
```
Next, to allow for the user and group mapping, we need to [create an anonymous user that authenticates with the pam authentication plugin](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/user-and-group-mapping-with-pam#creating-users) that is also able to `PROXY` as the `bar` and `dba` users. Before we can create the proxy user, we might need to [clean up some defaults](https://mariadb.com/docs/server/sql-statements/account-management-sql-statements/create-user#fixing-a-legacy-default-anonymous-account):
```sql
DELETE FROM mysql.db WHERE User='' AND Host='%';
FLUSH PRIVILEGES;
```
Finally, let's create the anonymous proxy user:
```sql
CREATE USER ''@'%' IDENTIFIED VIA pam USING 'mariadb';
GRANT PROXY ON 'bar'@'%' TO ''@'%';
GRANT PROXY ON 'dba'@'%' TO ''@'%';
```
## Testing our Configuration
Next, let's test out our configuration by [verifying that mapping is occurring](https://mariadb.com/docs/server/reference/plugins/authentication-plugins/user-and-group-mapping-with-pam#verifying-that-mapping-is-occurring). We can verify this by logging in as each of our users and comparing the return value of [USER()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/information-functions/user), which is the original user name and the return value of [CURRENT\_USER()](https://mariadb.com/docs/server/reference/sql-functions/secondary-functions/information-functions/current_user), which is the authenticated user name.
First, let's test our `foo` user:
```bash
$ mysql -u foo -h 172.30.0.198
[mariadb] Password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 22
Server version: 10.3.10-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT USER(), CURRENT_USER();
+------------------------------------------------+----------------+
| USER() | CURRENT_USER() |
+------------------------------------------------+----------------+
| foo@ip-172-30-0-198.us-west-2.compute.internal | bar@% |
+------------------------------------------------+----------------+
1 row in set (0.000 sec)
```
We can verify that our `foo` Unix user was properly mapped to the `bar` MariaDB user by looking at the return value of `CURRENT_USER()`.
Next, let's test our `alice` user in the `dba` group:
```bash
$ mysql -u alice -h 172.30.0.198
[mariadb] Password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.3.10-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT USER(), CURRENT_USER();
+--------------------------------------------------+----------------+
| USER() | CURRENT_USER() |
+--------------------------------------------------+----------------+
| alice@ip-172-30-0-198.us-west-2.compute.internal | dba@% |
+--------------------------------------------------+----------------+
1 row in set (0.000 sec)
```
Finally, let's test our `bob` user in the `dba` group:
```bash
$ mysql -u bob -h 172.30.0.198
[mariadb] Password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 10.3.10-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT USER(), CURRENT_USER();
+------------------------------------------------+----------------+
| USER() | CURRENT_USER() |
+------------------------------------------------+----------------+
| bob@ip-172-30-0-198.us-west-2.compute.internal | dba@% |
+------------------------------------------------+----------------+
1 row in set (0.000 sec)
```
We can verify that our `alice` and `bob` Unix users in the `dba` Unix group were properly mapped to the `dba` MariaDB user by looking at the return values of `CURRENT_USER()`.
*This page is licensed: CC BY-SA / Gnu FDL*
{% @marketo/form formId="4316" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://mariadb.com/docs/server/reference/plugins/authentication-plugins/authentication-with-pluggable-authentication-modules-pam/configuring-pam-authentication-and-user-mapping-with-unix-authentication.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.