maria-discuss team mailing list archive

Thread
Date

Re: OpenLDAP & PAM authentication

To: Adam Balgach <adam.balgach@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Fri, 19 Jan 2018 19:40:12 +0100
Cc: Maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAL2X=JBXb4Gv8y+EbWhzLhLJV7Njwi_gfyqAWgXXWq9Fbw-bNw@mail.gmail.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Adam!

On Jan 19, Adam Balgach wrote:
> Hello –
> 
> I am having an issue configuring openLDAP to authenticate users on an
> instance in RHEL (CentOS 7)
> 
> MariaDB server
> 
> configured with plugin-load=auth_pam.so
> 
> in my /etc/pam.d/mysql:
> auth required pam_ldap.so
> account required pam_ldap.so
> 
> when I try and access the server from either the localhost, or any server
> inside my internal network, I see the LDAP authentication happen without
> issue and login is fine.
> 
> When I try and access the server from outside the network, on the mariadb
> server in /var/log/secure I see the following:
> 
> Jan 19 08:32:35 mysqld: pam_ldap(mysql:auth): unexpected response from failed conversation function
> Jan 19 08:32:35 mysqld: pam_ldap(mysql:auth): conversation failed
> Jan 19 08:32:35 mysqld: pam_ldap(mysql:auth): failed to get password: Authentication token manipulation error
> 
> And in my client (Cygwin) I get the following error:
> 
> ERROR 2059 (HY000): Authentication plugin 'mysql_clear_password' cannot be
> loaded: No such file or directory
> 
> However I see this plugin in the /usr/lib64/mysql/plugin directory

Do you see it on the server or on the client?

It is a client plugin, it must be stored on the client side and loaded
run-time by your client.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

OpenLDAP & PAM authentication
From: Adam Balgach, 2018-01-19