mariadb ldap

  • Install Ldap(Client)
  • Check LDAP ssh works

Install Modern Version of MariaDb

  • secure the mysql installation
  • Add the Authentication mode of pam_linux
  • Create a PAM file that looks like this
account required pam_ldap.so debug
auth required pam_ldap.so debug
  • Back into mysql as root
  • add user @'localhost' identified via pam using 'mariadb';
  • flush privelges;

Now restart mariadb

  • service mariadd restart

This now should fail

ssh as the ldap user

ssh ldap_person@machine
mysql -u ldap_person -h machine -p 

You will get some nasty error message.

Turn on Pam Debugging

Now as root

  • vi /etc/rsyslog

Add the following line

  *.debug    /var/log/tim

Now create the output file

touch /var/log/tim

Now restart the rsyslog service

 service rsyslog restart

Repeat the loging process with the LDAP User... I hope now that you will see this

pam_dbg.png

Please note: Authentication Successful .... followed by a PAM audit_open() failed

LDAP is now Ok - do not touch LDAP.

SELinux time

With some digging I have found that there seems to be an SELinux setting that we need to check

semodule -DB
setenforce Permissive

The first command disables Audit logging for SELinux (which was causing the failure), the 2nd puts SELinux in a more flexible mode.

Now when we try and log in ... it works.

Notes:

No /etc/shadow mods needed !!

RHEL does not need the Domain username or admin (this is a little worrying).

Possible full steps

Remove dontaudits from policy: semodule -DB
Switch to permissive mode: setenforce Permissive
login into MariaDB as this user
create a policy: grep mysqld /var/log/audit/audit.log | audit2allow -M mariadb_pam; semodule -i mariadb_pam.pp
restore: semodule -B; setenforce Enforcing