LDAP组到用户映射模块

描述

*** 进行中 ***

此PAM服务模块可以用于根据LDAP组成员资格将指定的用户映射到另一个用户。它只能作为PAM accounting 模块使用。

示例

需求

• Rust 1.18.0或更高版本
• 可用的编译器。
• pkg-config, libssl-dev, libpam0g

安装

编译并安装.so

cargo build --release
sudo cp target/release/libpam_groupmap.so /lib/security/pam_groupmap.so

创建配置文件/etc/pam_groupmap.toml

# LDAP connection parameters
[ldap]
# Comma separated list of LDAP servers.
uri = "ldaps://ldap1.example.com:636,ldaps://ldap2.example.com:636"
# LDAP simple bind credentials (at the moment they are the same for all servers)
user = "XXX"
pass = "YYY"
#
# LDAP server connection timeout in seconds, default is 2.
# conn_timeout = 2
# LDAP server opeartion timeout in seconds (bind and search), default is 5.
# op_timeout = 5
#
# pam_groupmap will do an LDAP subtree search for the
# attribute $group_attribute under $user_base_dn with
# filter ($uid_attribute=$pam_username)
# Then the results are going to be filtered locally for
# only those that end with $group_base_dn
user_base_dn = "OU=people,OU=user,DC=example,DC=com"
group_base_dn = "OU=db,OU=groups,DC=example,DC=com"
uid_attribute = "sAMAccountName"
group_attribute = "memberOf"

# LDAP Group to User mappings
[mappings]
"dbadmin" = "dbadmin"
"dbreadonly" = "dbrouser"
"dbreadwrite" = "rbrwuser"

确保配置文件有正确的权限

chown root:mysql /etc/pam_groupmap.toml
chmod 640 /etc/pam_groupmap.toml

设置PAM，例如在/etc/pam.d/mysqld中的Percona XtraDB

auth       requisite     pam_unix.so
account    requisite     pam_groupmap.so /etc/pam_groupmap.toml