← Back to team overview

maria-discuss team mailing list archive

Re: pam / ldap auth

 

Hi!

On Sep 11, mourik jan c heupink wrote:
> Until I found out this works only from the localhost mariadb is running 
> on. Trying this from a remote mysql client gives:
> 
>  > user@e7470 ~ $ mysql -udomain_user -p -h mysqlserver.full.address
>  > Enter password: ERROR 2059 (HY000): Authentication plugin 'dialog' 
> cannot be loaded: /usr/lib/mysql/plugin/dialog.so: cannot open shared 
> object file: No such file or directory
> 
> and searching on that remote server for /usr/lib/mysql/plugin/dialog.so 
> gives no results:
> 
>  > user@e7470 ~ $ dpkg --search /usr/lib/mysql/plugin/dialog.so
>  > dpkg-query: no path found matching pattern 
> /usr/lib/mysql/plugin/dialog.so
> 
> Anyone here with a good suggestion how to make this work from a 
> 'regular' remote mysql client?
> 
> But more fundamentally: is it possible to have mariadb ldap auth on a 
> server, *without* requiring anything special on the client side?

Short answer - yes.
Long answer:

PAM works by asking questions that the user answers. Like, the password,
PIN, S/Key, verification code, whatever.

In MariaDB world, PAM server plugin gets the question from the PAM
subsystem, forwards the question to the client, reads the answer from
the client and passes it back to PAM. Repeat as necessary.

For this to work, PAM plugin fundamentally needs something on the client
side that can receive this arbitrary question, show it to the user, read
the reply, and send it to the server.

Normally, this is the dialog plugin. On debian it's part of the
libmariadbclient18 package, for example:

https://packages.debian.org/stretch/amd64/libmariadbclient18/filelist

If you use the command line client from Oracle MySQL distribution,
not from MariaDB, you won't have a working dialog plugin. But you sill
have mysql_clear_password plugin. You can see it above in
libmariadbclient18 list of files too, but in libmysqlclient it's
compiled in, not a separate library. You can instruct PAM plugin (on the
server side!) to use mysql_clear_password, not dialog:
https://mariadb.com/kb/en/library/authentication-plugin-pam/#mysql-cleartext-plugin
the drawback, it only supports one question/answer, won't repeat if some
PAM module needs it. For LDAP it should be sufficient, though.

So 1) either use mariadb command line client and install all
dependencies correctly, then you'll have dialog.so. Or 2) use oracle
mysql command line client and configure the server to request
mysql_clear_password plugin.

Note that neither dialog nor mysql_clear_password encrypt answers
they send to the server, so you should use SSL to protect your
passwords.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx


Follow ups

References