Announcing PAM authentication plugin for MySQL (early access release)

PREVIOUS POST
NEXT POST

We are pleased to announce availability of an early access version of Percona’s PAM Authentication plugin for MySQL. This plugin supports MySQL-5.5.x, Percona Server 5.5.x and MariaDB 5.2.x. The PAM Authentication plugin can be used for:

  • MySQL authentication using operating system users (pam_unix)
  • MySQL authentication from LDAP server (pam_ldap)
  • authentication against RSA SecurID server
  • any other authentication methods that provides access via PAM

We name it early access as it does not yet have the full list of features we want to implement. It is currently functional and we want to make it available for everybody. In this version you still need to create individual users in MySQL (even though they will be authenticated via PAM), in the final (non-early access) version this restriction will be removed. Percona PAM Authentication Plugin for MySQL as always, is fully open source, free of charge and can be used on an unlimited amount of servers. Resources:

PREVIOUS POST
NEXT POST

Comments

  1. Sean Davidson says

    Alleluia!

    Between the audit plug-in interface, and your PAM authentication plug-in (hopefully implementing the proxy users authentication plug-in feature), real role-based access, best-practices password controls, and access non-repudiation can be a reality. To me, this means MySQL can finally be deployed in a PCI environment without lots of hacks, workarounds, and other controls gymnastics to satisfy governance requirements (and PCI auditors :) ).

    Now if Monty’s group can get caught up to 5.6; we use MyISAM extensively for simple but huge KV stores, and love virtual (indexable) columns, segmented key cache, and other MariaDB goodies, but really need to start leveraging 5.6 features such as the Partition enhancements (we can finally ditch merge tables), Multi-threaded slaves (!!! A huge pain point for us), Diff-based RBR, Replication Checksums, lots of additional instrumentation, etc.

    Then, those combined with figuring out how to use Gearman to leverage Java plug-ins/UDFs, and we’ll be able to stop eyeing PostgreSQL’s feature set with frustrated envy, and enjoy the rocking performance and flexibility of the MySQL platform.

    [Please no flaming – PostgreSQL rocks in its own right, but we have an investment in the MySQL platform that I would appreciate being able to continue to leverage for enterprise workflows and loads.]

  2. says

    Quite useful. The most utility I guess comes from “any other authentication methods that provides access via PAM” .. PAM gives you the freedom to stack authentication/authorization methods (including ldap, rsa and unix) to the choice of user/customer.

  3. Laurynas Biveinis says

    St –

    If one uses the “auth_pam_compat” plugin, then it uses the stock Oracle “mysql_clear_password” plugin instead of “dialog” plugin used by the full-feature version. As “mysql_clear_password” is a default plugin distributed in Oracle MySQL, it provides the CLI compatibility.

  4. Scott S says

    Does anyone know the timing of the final release and whether it’ll be compatible with the 5.6?

Leave a Reply

Your email address will not be published. Required fields are marked *