LDAP Group to User mapping module

Description

*** WORK IN PROGRESS ***

This PAM service module can be used to map given user to another based on LDAP group membership. It can work only if used as PAM accounting module.

Example

Requirements

• Rust 1.18.0 or newer
• Working compiler.
• pkg-config, libssl-dev, libpam0g

Installation

Compile and install the .so:

cargo build --release
sudo cp target/release/libpam_groupmap.so /lib/security/pam_groupmap.so

Create the config file /etc/pam_groupmap.toml:

# LDAP connection parameters
[ldap]
# Comma separated list of LDAP servers.
uri = "ldaps://ldap1.example.com:636,ldaps://ldap2.example.com:636"
# LDAP simple bind credentials (at the moment they are the same for all servers)
user = "XXX"
pass = "YYY"
# pam_groupmap will do an LDAP subtree search for the
# attribute $group_attribute under $user_base_dn with
# filter ($uid_attribute=$pam_username)
# Then the results are going to be filtered locally for
# only those that end with $group_base_dn
user_base_dn = "OU=people,OU=user,DC=example,DC=com"
group_base_dn = "OU=db,OU=groups,DC=example,DC=com"
uid_attribute = "sAMAccountName"
group_attribute = "memberOf"

# LDAP Group to User mappings
[mappings]
"dbadmin" = "dbadmin"
"dbreadonly" = "dbrouser"
"dbreadwrite" = "rbrwuser"

Make sure the config has the correct permissions:

chown root:mysql /etc/pam_groupmap.toml
chmod 640 /etc/pam_groupmap.toml

Setup PAM, for example for Percona XtraDB in /etc/pam.d/mysqld:

auth       requisite     pam_unix.so
account    requisite     pam_groupmap.so /etc/pam_groupmap.toml

Known Issues

There is no way to set connection timeout for LDAP so if one server is down it's possible for this module to take significant amount of time until it moves on to the second one. There is a GitHub Issue about this.

As a temporary workaround of this issue (which also could be a good idea generally) the list of LDAP servers is currently randomized.