Results 1 to 6 of 6
  1. #1
    Join Date
    Sep 2012
    Posts
    3

    Unanswered: MySQL using PAM Authentication

    If you use PAM authentication with MySQL does it automaticly assign a blank list of databases to each user or do they have access to all of the databases?

    Thanks in Advance

  2. #2
    Join Date
    Sep 2009
    Location
    San Sebastian, Spain
    Posts
    880
    The authentication is only the first step. After it has authenticated it then is associated with a proxy account on MySQL. That proxy account should have permissions defined for whatever database.

    For example, let's imagine you have several PAM accounts setup and each one is supposed to have different permissions. If the PAM account belongs to group1 and another to group2 you can associate each one of these to different internal MySQL accounts:

    CREATE USER ''@''
    IDENTIFIED WITH authentication_pam
    AS 'mysql, group1=dev, group2=admin';

    In the example above, anyone belonging that has access to group1 PAM group will be mapped to the dev user account on MySQL and those belonging to PAM group2 will be mapped to admin user account on MySQL.

    Within the database the user accounts dev and admin may have different accesses to different or the same databases.
    Ronan Cashell
    Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
    http://www.it-iss.com
    Follow me on Twitter

  3. #3
    Join Date
    Sep 2012
    Posts
    3
    I would like to be able to create an account on the domain and then when they login each user has the own set of databases and if not create them! Is this possible ?

  4. #4
    Join Date
    Sep 2009
    Location
    San Sebastian, Spain
    Posts
    880
    Firstly, if it is a new user, you need to have already created the database for them and assigned them the permissions that they need in that database to the MySQL user account.

    The PAM groups map to the MySQL user so basically you would need to create a single PAM group for every MySQL user account.

    This is very flexible if you wanted to use a single MySQL login for all the users that have PAM authenticated belonging to a specific PAM group.
    Ronan Cashell
    Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
    http://www.it-iss.com
    Follow me on Twitter

  5. #5
    Join Date
    Sep 2012
    Posts
    3
    So there is no way to automatically create a group for each PAM user ?

  6. #6
    Join Date
    Sep 2009
    Location
    San Sebastian, Spain
    Posts
    880
    There are possible scripts you could write on UNIX/Linux which could handle this for you but there is nothing in MySQL directly. So you could create a script for adding a user. This script adds to PAM (you will probably have to signal PAM to reload the configuration) and also create a new MySQL user so that these are associated and the dedicated database). A second script could be used to remove a user, which drops the MySQL and drops the dedicated database.
    Ronan Cashell
    Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
    http://www.it-iss.com
    Follow me on Twitter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •