hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2267 Document requirements for an accepted PAM user

Browse Source 
The requirements are typical of MaxScale authenticators.
Also, fixes the fallback PAM service.
This commit is contained in:
Esa Korhonen
2019-01-23 11:19:42 +02:00
parent 1e1836354b
commit 97c0c76321
1 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Documentation/Authenticators/PAM-Authenticator.md
View File

@ -29,13 +29,15 @@ protocol=MariaDBBackend
authenticator=PAMBackendAuth authenticator=PAMBackendAuth
``` ```
The client PAM authenticator will fetch user entries with `plugin='pam'` from The PAM authenticator fetches user entries with `plugin='pam'` from
the `mysql.user` table. The entries should also have a PAM service name set in the `mysql.user` table of a backend. The user accounts also need to have either
the `authetication_string` column. The matching PAM service in the operating the global SELECT-privilege or a database or a table-level privilege. The PAM
system PAM config will be used for authenticating a user. If the service name of a user is read from the `authetication_string`-column. The
`authetication_string` for an entry is empty, a fallback service (e.g. `other`) matching PAM service in the operating system PAM config is used for
is used. If a username@host has multiple matching entries, they will all be authenticating the user. If the `authetication_string` for a user is empty,
attempted until authentication succeeds or all fail. the fallback service `mysql` is used. If a username@host-combination matches
multiple rows, they will all be attempted until authentication succeeds or all
services fail.
PAM service configuration is out of the scope of this document, see PAM service configuration is out of the scope of this document, see
[The Linux-PAM System Administrators' Guide [The Linux-PAM System Administrators' Guide