percona-pam-for-mysql

Merge lp:~stewart/percona-pam-for-mysql/basic-docs into lp:percona-pam-for-mysql

  1. basic-docs
  2. Merge into percona-pam-for-mysql
Proposed by Stewart Smith
Status: Merged
Approved by: Laurynas Biveinis
Approved revision: 16
Merge reported by: Laurynas Biveinis
Merged at revision: not available
Proposed branch: lp:~stewart/percona-pam-for-mysql/basic-docs
Merge into: lp:percona-pam-for-mysql
Diff against target: 123 lines (+78/-4)
4 files modified
doc/source/faq.rst (+6/-0)
doc/source/index.rst (+2/-2)
doc/source/installation.rst (+43/-1)
doc/source/manual.rst (+27/-1)
To merge this branch: bzr merge lp:~stewart/percona-pam-for-mysql/basic-docs
Reviewer Review Type Date Requested Status
Valentine Gostev (community) Approve
Laurynas Biveinis (community) Approve
Review via email: mp+82092@code.launchpad.net

This proposal supersedes a proposal from 2011-11-10.

Description of the change

some very basic docs to get people going. (updated based on review feedback)

To post a comment you must log in.
Revision history for this message
Valentine Gostev (longbow) wrote : Posted in a previous version of this proposal

Stewart,

124 +This creates a user `username` that can connect from `host` and will be authenticated using the PAM plugin.

We should also mention that 'username' account must exist in system.

Revision history for this message
Valentine Gostev (longbow) wrote : Posted in a previous version of this proposal

see comment

review: Needs Fixing
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote : Posted in a previous version of this proposal

In /etc/shadow question might be a good idea to add "the PAM libraries such as pam_unix.so" or similar.
In "compiling from source" I'd mention add to "MySQL 5.5 headers available on your system" "and corresponding mysql_config" or similar.

@Valentine - the account must exist on the system iff pam_unix.so is used (i.e. in other setups it's not necessary)

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

LGTM.
Will wait for Valentine's review before merging.

review: Approve
Revision history for this message
Valentine Gostev (longbow) wrote :

lgtm

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'doc/source/faq.rst'
2--- doc/source/faq.rst 2011-10-25 10:51:19 +0000
3+++ doc/source/faq.rst 2011-11-14 04:10:27 +0000
4@@ -22,3 +22,9 @@
5 ====================================
6
7 Yes.
8+
9+
10+Can I use the PAM plugin to authenticate against /etc/shadow?
11+=============================================================
12+
13+Yes, but you will need to run mysqld as root so that the PAM libraries such as 'pam_unix.so` can access /etc/shadow.
14
15=== modified file 'doc/source/index.rst'
16--- doc/source/index.rst 2011-10-25 10:51:19 +0000
17+++ doc/source/index.rst 2011-11-14 04:10:27 +0000
18@@ -2,7 +2,7 @@
19 Percona PAM authentication plugin For MySQL - Documentation
20 ============================================================
21
22-Percona PAM authentication plugin for MySQL
23+Percona PAM authentication plugin for MySQL.
24
25 Introduction
26 ============
27@@ -17,7 +17,7 @@
28 ============
29
30 .. toctree::
31- :maxdepth: 1
32+ :maxdepth: 2
33 :glob:
34
35 installation
36
37=== modified file 'doc/source/installation.rst'
38--- doc/source/installation.rst 2011-10-25 14:07:24 +0000
39+++ doc/source/installation.rst 2011-11-14 04:10:27 +0000
40@@ -5,4 +5,46 @@
41 .. toctree::
42 :hidden:
43
44-Install instructions go here.
45+Compiling from Source
46+=====================
47+
48+You will need both the PAM headers and the MySQL 5.5 headers and corresponding `mysql_config` binary available on your system.
49+
50+If you are not using one of the pre-built binary packages, you will need to compile the plugin from source. You can either use a source tarball or the source repository.
51+
52+For getting a copy of the latest development bzr tree: ::
53+
54+ $ bzr branch lp:percona-pam-for-mysql
55+
56+If you are building from bzr, you will need to generate the configure script: ::
57+
58+ $ ./bootstrap
59+
60+You do not need to run `bootstrap` if you are using a source tarball.
61+
62+You then need to build the plugin: ::
63+
64+ $ ./configure
65+ $ make
66+
67+To install, you can simply run (as root or using sudo or similar): ::
68+
69+ $ make install
70+
71+Installing server-side plugin
72+=============================
73+
74+The shared library that holds the plugin, auth_pam.so, needs to be stored in the plugindir directory of mysql. You can get this value via the command: ::
75+
76+ $ mysql_config --plugindir
77+
78+Make sure that after installed, the library has got the appropiate permissions (file execution is required).
79+
80+Most packages should do this for you, so this is likely only required with the binary tarballs.
81+
82+ In order to load the plugin into the working server, issue the following command: ::
83+
84+ mysql> INSTALL PLUGIN auth_pam_server SONAME 'auth_pam.so';
85+
86+
87+You can now create a PAM configuration for the MySQL server and create users that are authenticated by PAM.
88
89=== modified file 'doc/source/manual.rst'
90--- doc/source/manual.rst 2011-10-25 10:51:19 +0000
91+++ doc/source/manual.rst 2011-11-14 04:10:27 +0000
92@@ -8,4 +8,30 @@
93 :maxdepth: 1
94 :hidden:
95
96-Manual goes here.
97+Configuring PAM for MySQL
98+=========================
99+
100+You will need to configure PAM on your system for how it should authenticate for MySQL. A simple setup can be to use the standard UNIX authentication method.
101+
102+*NOTE:* Using pam_unix means the MySQL Server needs to read the `/etc/shadow` file, which usually means it has to be run as `root` - usually not a recommended configuration.
103+
104+A sample `/etc/pam.d/mysqld` file: ::
105+
106+ auth required pam_unix.so
107+ account required pam_unix.so
108+
109+For added information in the system log, you can expand it to be: ::
110+
111+ auth required pam_warn.so
112+ auth required pam_unix.so audit
113+ account required pam_unix.so audit
114+
115+
116+Creating A User
117+===============
118+
119+You will need to execute `CREATE USER` with specifying the PAM plugin. For example: ::
120+
121+ CREATE USER 'username'@'host' IDENTIFIED WITH auth_pam_server;
122+
123+This creates a user `username` that can connect from `host` and will be authenticated using the PAM plugin. If you are using the `pam_unix` method in PAM (or similar) you will need to have an account for `username` existing on the system.

Subscribers

People subscribed via source and target branches