percona-pam-for-mysql

Bug #1091566
Comment #11

Comment 11 for bug 1091566

Revision history for this message

Predrag Zecevic (predrag-zecevic) wrote on 2013-02-12:

#11

Hi Sergei,

i need (still) explanation how MySQL 'proxy user' can be used with current plugin implementation (with all limitations it has) - IF that would be possible? If not, just stop reading here.

I have spent hours trying to make it working, but no luck.

Currently I have ended with this setup - just removed Kerberos things - not needed for MySQL authorization (FYI, everything ELSE on system using PAM/LDAP works fine):

---8<------</etc/pam.d/mysql>---
# Derived from password-auth-ac, used for mysql pam_auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
---8<------</etc/pam.d/mysql>---

I am able to ssh (Kerberos 5 with LDAP backend DB authorization + PAM mkhomedir plugin) to box running MySQL server called 'auth_pam-test':
---8<---
$ who am i
predrag_zecevic pts/0 2013-02-12 15:53 (xxx.xxx.xxx)

$ id -gn
zecevic
---8<---

Proxy user setup:
---8<------<SQL>---
CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,zecevic=reader';

CREATE USER 'reader'@'localhost' IDENTIFIED BY 'reader_pass';
GRANT PROXY ON 'reader'@'localhost' TO ''@'';

FLUSH PRIVILEGES;
---8<------<SQL>---

From another box, when trying to connect, i get error (same in both cases: with and without proper password):

---8<---
$ mysql -hauth_pam-test -upredrag_zecevic -p test -e "SELECT USER(), CURRENT_USER(), @@proxy_user, @@external_user;"
Enter password:
ERROR 1045 (28000): Access denied for user 'predrag_zecevic'@'predrag-test.my_domain.com' (using password: YES)
---8<---

On 'auth_pam-test' box (from MySQL general log) you can see proxy user setup and my failed attempt::

---8<---
130212 16:55:05 6 Connect root@localhost on mysql
                    6 Query select @@version_comment limit 1
                    6 Query CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,zecevic=reader'
                    6 Query CREATE USER 'reader'@'localhost' IDENTIFIED BY 'reader_pass'
                    6 Query GRANT PROXY ON 'reader'@'localhost' TO ''@''
                    6 Query FLUSH PRIVILEGES
                    6 Quit
130212 16:55:34 8 Connect predrag_zecevic@predrag-test.my_domain.com as reader on test
                    8 Connect Access denied for user 'predrag_zecevic'@'predrag-test.my_domain.com' (using password: YES)
---8<---

As you may see, i was authenticated and my primary group was 'detected' (via mapping) as 'reader' user. Still, connection has failed.

So, maybe grant ifs failing? Nothing changed after adding simple one: "GRANT SELECT ON `test`.* TO 'reader'@'localhost';"

So, i am puzzled (plugin doc is not usable: http://www.percona.com/doc/percona-pam-for-mysql/index.html).

If you can bring some light on this, would be fine... IF NOT, i can use script to create every single user grant from LDAP - no big deal... but using proxy user, could save us lot of work.

Sorry for long post.

Thank you in advance and best regards.

Hi Sergei,

i need (still) explanation how MySQL 'proxy user' can be used with current plugin implementation (with all limitations it has) - IF that would be possible? If not, just stop reading here.

I have spent hours trying to make it working, but no luck.

Currently I have ended with this setup - just removed Kerberos things - not needed for MySQL authorization  (FYI, everything ELSE on system using PAM/LDAP works fine):

---8<------</etc/pam.d/mysql>---
# Derived from password-auth-ac, used for mysql pam_auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
---8<------</etc/pam.d/mysql>---

$ id -gn
zecevic
---8<---

Proxy user setup:
---8<------<SQL>---
CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,zecevic=reader';

CREATE USER 'reader'@'localhost' IDENTIFIED BY 'reader_pass';
GRANT PROXY ON 'reader'@'localhost' TO ''@'';

FLUSH PRIVILEGES;
---8<------<SQL>---

From another box, when trying to connect, i get error (same in both cases: with and without proper password):

---8<---
$ mysql -hauth_pam-test -upredrag_zecevic -p test -e "SELECT USER(), CURRENT_USER(), @@proxy_user, @@external_user;"
Enter password: 
ERROR 1045 (28000): Access denied for user 'predrag_zecevic'@'predrag-test.my_domain.com' (using password: YES)
---8<---

On 'auth_pam-test' box (from MySQL general log) you can see proxy user setup and my failed attempt::

---8<---
130212 16:55:05     6 Connect   root@localhost on mysql
                    6 Query     select @@version_comment limit 1
                    6 Query     CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,zecevic=reader'
                    6 Query     CREATE USER 'reader'@'localhost' IDENTIFIED BY 'reader_pass'
                    6 Query     GRANT PROXY ON 'reader'@'localhost' TO ''@''
                    6 Query     FLUSH PRIVILEGES
                    6 Quit
130212 16:55:34     8 Connect   predrag_zecevic@predrag-test.my_domain.com as reader on test
                    8 Connect   Access denied for user 'predrag_zecevic'@'predrag-test.my_domain.com' (using password: YES)
---8<---

As you may see, i was authenticated and my primary group was 'detected' (via mapping) as 'reader' user. Still, connection has failed.

So, maybe grant ifs failing? Nothing changed after adding simple one: "GRANT SELECT ON `test`.* TO 'reader'@'localhost';"

So, i am puzzled (plugin doc is not usable: http://www.percona.com/doc/percona-pam-for-mysql/index.html).

If you can bring some light on this, would be fine... IF NOT, i can use script to create every single user grant from LDAP - no big deal... but using proxy user, could save us lot of work.

Sorry for long post.

Thank you in advance and best regards.