Configuring LDAP Authentication and Group Mapping With MariaDB

Enterprise users who have a large number of MariaDB servers often want to centralize their MariaDB user account administration — especially for the user accounts of the database administration team. This can simplify some database administration tasks, since users do not have to be manually created on every server. Additionally, centralizing user account administration can make the enterprise environment more secure. For example, if a particular user needs to have their access to the servers revoked, the revocation only needs to happen once in the centralized repository, and the change will be reflected on all servers. This makes it much less likely that the database administration team will forget to remove the user’s access from some of the servers, which could cause security problems if the user then tried to use the account in an unauthorized manner.

We’ve blogged in the past that MariaDB supports this kind of centralized user account administration with the PAM authentication plugin and PAM user mapping module and also about support for group mapping in the PAM user mapping module. Many enterprise users prefer to integrate these components with LDAP, but LDAP can be quite difficult to integrate with these components. For a step by step guide on how to do this, I’ve detailed specific instructions here.