Not the answer you need?
Register and ask your own question!

Authentication plugin with ldap and proxy user

joepjoep EntrantCurrent User Role Beginner
Setting up authentication plugin for ldap which is working as I am about to login with ldap credentials but the accounts is not using the proxy user which means the grants are not working.
Server version: 5.6.27-75.0-log Percona Server (GPL), Release 75.0, Revision 8bb53b6
created from database admin account

mysql> CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld, mysqldba=dbauser';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all on *.* to 'dbauser'@'localhost' identified by 'xxx' with grant option;
Query OK, 0 rows affected (0.00 sec)

mysql> grant proxy on 'dbauser'@'localhost' to ''@'';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.proxies_priv;
+
+
+
+
+
+
+
+
| Host | User | Proxied_host | Proxied_user | With_grant | Grantor | Timestamp |
+
+
+
+
+
+
+
+
| localhost | root | | | 1 | | 2015-11-16 16:32:41 |
| localhost | dba_admin | | | 1 | [email protected] | 0000-00-00 00:00:00 |
| | | localhost | dbauser | 0 | [email protected] | 0000-00-00 00:00:00 |

Question #1- why ''@'' / [email protected] not showing with_grant?


login as ldap user

mysql> show grants;
+
+
| Grants for @ |
+
+
| GRANT USAGE ON *.* TO ''@'' |
| GRANT PROXY ON 'dbauser'@'localhost' TO ''@'' |
+
+
2 rows in set (0.00 sec)

mysql> SELECT USER(), CURRENT_USER();
+
+
+
| USER() | CURRENT_USER() |
+
+
+
| [email protected] | @ |
+
+
+

Question #2 - why does it not proxy to [email protected]?
cat /etc/pam.d/mysqld
auth required pam_warn.so
auth required pam_ldap.so
account required pam_ldap.so

mysql> show grants for ''@'';
+
+
| Grants for @ |
+
+
| GRANT USAGE ON *.* TO ''@'' |
| GRANT PROXY ON 'dbauser'@'localhost' TO ''@'' |
+
+
2 rows in set (0.00 sec)

mysql> show grants for 'dbauser'@'localhost';
+
+
| Grants for [email protected] |
+
+
| GRANT ALL PRIVILEGES ON *.* TO 'dbauser'@'localhost' IDENTIFIED BY PASSWORD '*....' WITH GRANT OPTION |
+
+
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.