i need (still) explanation how MySQL 'proxy user' can be used with current plugin implementation (with all limitations it has) - IF that would be possible? If not, just stop reading here.
I have spent hours trying to make it working, but no luck.
Currently I have ended with this setup - just removed Kerberos things - not needed for MySQL authorization (FYI, everything ELSE on system using PAM/LDAP works fine):
---8<------</etc/pam.d/mysql>---
# Derived from password-auth-ac, used for mysql pam_auth
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
---8<------</etc/pam.d/mysql>---
I am able to ssh (Kerberos 5 with LDAP backend DB authorization + PAM mkhomedir plugin) to box running MySQL server called 'auth_pam-test':
---8<---
$ who am i
predrag_zecevic pts/0 2013-02-12 15:53 (xxx.xxx.xxx)
$ id -gn
zecevic
---8<---
Working with MySQL 5.5.30, fresh installation:
---8<---
$ mysql -uroot mysql -e "show plugins"
...
| auth_pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
---8<---
Proxy user setup:
---8<------<SQL>---
CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,zecevic=reader';
CREATE USER 'reader'@'localhost' IDENTIFIED BY 'reader_pass';
GRANT PROXY ON 'reader'@'localhost' TO ''@'';
FLUSH PRIVILEGES;
---8<------<SQL>---
From another box, when trying to connect, i get error (same in both cases: with and without proper password):
---8<---
$ mysql -hauth_pam-test -upredrag_zecevic -p test -e "SELECT USER(), CURRENT_USER(), @@proxy_user, @@external_user;"
Enter password:
ERROR 1045 (28000): Access denied for user 'predrag_zecevic'@'predrag-test.my_domain.com' (using password: YES)
---8<---
On 'auth_pam-test' box (from MySQL general log) you can see proxy user setup and my failed attempt::
---8<---
130212 16:55:05 6 Connect root@localhost on mysql 6 Query select @@version_comment limit 1 6 Query CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,zecevic=reader' 6 Query CREATE USER 'reader'@'localhost' IDENTIFIED BY 'reader_pass' 6 Query GRANT PROXY ON 'reader'@'localhost' TO ''@'' 6 Query FLUSH PRIVILEGES 6 Quit
130212 16:55:34 8 Connect predrag_zecevic@predrag-test.my_domain.com as reader on test 8 Connect Access denied for user 'predrag_zecevic'@'predrag-test.my_domain.com' (using password: YES)
---8<---
As you may see, i was authenticated and my primary group was 'detected' (via mapping) as 'reader' user. Still, connection has failed.
So, maybe grant ifs failing? Nothing changed after adding simple one: "GRANT SELECT ON `test`.* TO 'reader'@'localhost';"
If you can bring some light on this, would be fine... IF NOT, i can use script to create every single user grant from LDAP - no big deal... but using proxy user, could save us lot of work.
Hi Sergei,
i need (still) explanation how MySQL 'proxy user' can be used with current plugin implementation (with all limitations it has) - IF that would be possible? If not, just stop reading here.
I have spent hours trying to make it working, but no luck.
Currently I have ended with this setup - just removed Kerberos things - not needed for MySQL authorization (FYI, everything ELSE on system using PAM/LDAP works fine):
---8<-- ----</etc/ pam.d/mysql> ---
# Derived from password-auth-ac, used for mysql pam_auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_access.so ignore] pam_ldap.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so ----</etc/ pam.d/mysql> ---
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
---8<--
I am able to ssh (Kerberos 5 with LDAP backend DB authorization + PAM mkhomedir plugin) to box running MySQL server called 'auth_pam-test':
---8<---
$ who am i
predrag_zecevic pts/0 2013-02-12 15:53 (xxx.xxx.xxx)
$ id -gn
zecevic
---8<---
Working with MySQL 5.5.30, fresh installation:
---8<---
$ mysql -uroot mysql -e "show plugins"
...
| auth_pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
---8<---
Proxy user setup: zecevic= reader' ;
---8<------<SQL>---
CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql,
CREATE USER 'reader' @'localhost' IDENTIFIED BY 'reader_pass'; @'localhost' TO ''@'';
GRANT PROXY ON 'reader'
FLUSH PRIVILEGES;
---8<------<SQL>---
From another box, when trying to connect, i get error (same in both cases: with and without proper password):
---8<--- zecevic' @'predrag- test.my_ domain. com' (using password: YES)
$ mysql -hauth_pam-test -upredrag_zecevic -p test -e "SELECT USER(), CURRENT_USER(), @@proxy_user, @@external_user;"
Enter password:
ERROR 1045 (28000): Access denied for user 'predrag_
---8<---
On 'auth_pam-test' box (from MySQL general log) you can see proxy user setup and my failed attempt::
---8<---
6 Query select @@version_comment limit 1
6 Query CREATE USER ''@'' IDENTIFIED WITH 'auth_pam' AS 'mysql, zecevic= reader'
6 Query CREATE USER 'reader' @'localhost' IDENTIFIED BY 'reader_pass'
6 Query GRANT PROXY ON 'reader' @'localhost' TO ''@''
6 Query FLUSH PRIVILEGES
6 Quit zecevic@ predrag- test.my_ domain. com as reader on test
8 Connect Access denied for user 'predrag_ zecevic' @'predrag- test.my_ domain. com' (using password: YES)
130212 16:55:05 6 Connect root@localhost on mysql
130212 16:55:34 8 Connect predrag_
---8<---
As you may see, i was authenticated and my primary group was 'detected' (via mapping) as 'reader' user. Still, connection has failed.
So, maybe grant ifs failing? Nothing changed after adding simple one: "GRANT SELECT ON `test`.* TO 'reader' @'localhost' ;"
So, i am puzzled (plugin doc is not usable: http:// www.percona. com/doc/ percona- pam-for- mysql/index. html).
If you can bring some light on this, would be fine... IF NOT, i can use script to create every single user grant from LDAP - no big deal... but using proxy user, could save us lot of work.
Sorry for long post.
Thank you in advance and best regards.