LDAP Group to User mapping module
Description
*** WORK IN PROGRESS ***
This PAM service module can be used to map given user to another based on LDAP group membership. It can work only if used as PAM accounting module.
Example
Requirements
- Rust 1.18.0 or newer
- Working compiler.
- pkg-config, libssl-dev, libpam0g
Installation
Compile and install the .so
:
cargo build --release
sudo cp target/release/libpam_groupmap.so /lib/security/pam_groupmap.so
Create the config file /etc/pam_groupmap.toml
:
# LDAP connection parameters
[]
# Comma separated list of LDAP servers.
= "ldaps://ldap1.example.com:636,ldaps://ldap2.example.com:636"
# LDAP simple bind credentials (at the moment they are the same for all servers)
= "XXX"
= "YYY"
#
# LDAP server connection timeout in seconds, default is 2.
# conn_timeout = 2
# LDAP server opeartion timeout in seconds (bind and search), default is 5.
# op_timeout = 5
#
# pam_groupmap will do an LDAP subtree search for the
# attribute $group_attribute under $user_base_dn with
# filter ($uid_attribute=$pam_username)
# Then the results are going to be filtered locally for
# only those that end with $group_base_dn
= "OU=people,OU=user,DC=example,DC=com"
= "OU=db,OU=groups,DC=example,DC=com"
= "sAMAccountName"
= "memberOf"
# LDAP Group to User mappings
[]
= "dbadmin"
= "dbrouser"
= "rbrwuser"
Make sure the config has the correct permissions:
chown root:mysql /etc/pam_groupmap.toml
chmod 640 /etc/pam_groupmap.toml
Setup PAM, for example for Percona XtraDB in /etc/pam.d/mysqld
:
auth requisite pam_unix.so
account requisite pam_groupmap.so /etc/pam_groupmap.toml