In our corporate environment long ago some wiz decided to put the user "mysql
" into LDAP.
The account is disabled:
$ sudo su - mysql
This account is currently not available.
…but it's id still exists:
$ id mysql
uid=2050913(mysql) gid=867(ENG) groups=867(ENG)
This makes mariadb installations fail on CentOS7 because /var/run/mariadb
is created by a tmpfile rule which tries to assign the directory to be owned by mysql. But mysql doesn't exist until LDAP/networking is up and running, and the mariadb install doesn't create the mysql
user because the user already exists in ldap.
Is there a way to locally force PAM (or something?) to ignore the user mysql in LDAP? Or rename the ldap mysql
user to mysql_ldap
?
Is my only workaround to manually add the entry in /etc/passwd
? (Or change the mariadb config to use different username.) I'd rather have minimal changes to the config and systemd files that come from the rpm.
(And I don't have high hopes of removing mysql
from LDAP as that could break a lot of legacy infrastructure.)
I'll be using ansible, btw, to implement the change.
Additional:
I've changed the title of the question:
I have found that if I do add the local "mysql
" user that it works ok, unless I have files owned by the userid of the LDAP "mysql
" user. If I ls -la
the files, it then pollutes the nscd (or sssd) cache and "mysql
" again resolves to the LDAP user. It seems what I really want is to somehow construct a PAM filter for accounts to make this LDAP "mysql
" user disappear.
Best Answer
Here's my final solution, coded in ansible: