Hi! On Sep 11, mourik jan c heupink wrote:
Until I found out this works only from the localhost mariadb is running on. Trying this from a remote mysql client gives:
user@e7470 ~ $ mysql -udomain_user -p -h mysqlserver.full.address Enter password: ERROR 2059 (HY000): Authentication plugin 'dialog' cannot be loaded: /usr/lib/mysql/plugin/dialog.so: cannot open shared object file: No such file or directory
and searching on that remote server for /usr/lib/mysql/plugin/dialog.so gives no results:
user@e7470 ~ $ dpkg --search /usr/lib/mysql/plugin/dialog.so dpkg-query: no path found matching pattern /usr/lib/mysql/plugin/dialog.so
Anyone here with a good suggestion how to make this work from a 'regular' remote mysql client?
But more fundamentally: is it possible to have mariadb ldap auth on a server, *without* requiring anything special on the client side?
Short answer - yes. Long answer: PAM works by asking questions that the user answers. Like, the password, PIN, S/Key, verification code, whatever. In MariaDB world, PAM server plugin gets the question from the PAM subsystem, forwards the question to the client, reads the answer from the client and passes it back to PAM. Repeat as necessary. For this to work, PAM plugin fundamentally needs something on the client side that can receive this arbitrary question, show it to the user, read the reply, and send it to the server. Normally, this is the dialog plugin. On debian it's part of the libmariadbclient18 package, for example: https://packages.debian.org/stretch/amd64/libmariadbclient18/filelist If you use the command line client from Oracle MySQL distribution, not from MariaDB, you won't have a working dialog plugin. But you sill have mysql_clear_password plugin. You can see it above in libmariadbclient18 list of files too, but in libmysqlclient it's compiled in, not a separate library. You can instruct PAM plugin (on the server side!) to use mysql_clear_password, not dialog: https://mariadb.com/kb/en/library/authentication-plugin-pam/#mysql-cleartext... the drawback, it only supports one question/answer, won't repeat if some PAM module needs it. For LDAP it should be sufficient, though. So 1) either use mariadb command line client and install all dependencies correctly, then you'll have dialog.so. Or 2) use oracle mysql command line client and configure the server to request mysql_clear_password plugin. Note that neither dialog nor mysql_clear_password encrypt answers they send to the server, so you should use SSL to protect your passwords. Regards, Sergei Chief Architect MariaDB and security@mariadb.org