- Install Ldap(Client)
- Check LDAP ssh works
Install Modern Version of MariaDb
- secure the mysql installation
- Add the Authentication mode of pam_linux
- Create a PAM file that looks like this
account required pam_ldap.so debug auth required pam_ldap.so debug
- Back into mysql as root
- add user
@'localhost' identified via pam using 'mariadb';
- flush privelges;
Now restart mariadb
- service mariadd restart
This now should fail
ssh as the ldap user
ssh ldap_person@machine mysql -u ldap_person -h machine -p
You will get some nasty error message.
Turn on Pam Debugging
Now as root
- vi /etc/rsyslog
Add the following line
Now create the output file
Now restart the rsyslog service
service rsyslog restart
Repeat the loging process with the LDAP User... I hope now that you will see this
Please note: Authentication Successful .... followed by a PAM audit_open() failed
LDAP is now Ok - do not touch LDAP.
With some digging I have found that there seems to be an SELinux setting that we need to check
semodule -DB setenforce Permissive
The first command disables Audit logging for SELinux (which was causing the failure), the 2nd puts SELinux in a more flexible mode.
Now when we try and log in ... it works.
No /etc/shadow mods needed !!
RHEL does not need the Domain username or admin (this is a little worrying).
Possible full steps
Remove dontaudits from policy: semodule -DB Switch to permissive mode: setenforce Permissive login into MariaDB as this user create a policy: grep mysqld /var/log/audit/audit.log | audit2allow -M mariadb_pam; semodule -i mariadb_pam.pp restore: semodule -B; setenforce Enforcing