I was not saying anything about installing any piece of software. You were asking about MySQL users and LDAP integration.
The PM installer and the application, after installation, is using local MySQL users. Again, as Jeffrey was saying, any customization with the MySQL installation that is not part of my.cnf should be re-applied on the machine, once upgrades are performed on the PC installation.
The MySQL setup to support LDAP users is performed with modification of MySQL configuration file.
I was saying to test it out and if it works, you should use it.You don't need the entire PM installation. Just install PC, enable LDAP plugin for the MySQL and see the results.
------------------------------
Senior Consultant
SolvIT Networks
------------------------------
Original Message:
Sent: 07-06-2020 03:37 AM
From: Shanmuga Sundaram MP
Subject: MySQL DB scan to check the vulnerability in CA PM
Hi Catalin,
Thanks for the information. FYI , we will not install Gaurdium tool on our CA PM servers.
If I understand correctly , the AD user is unsupported in CA PM 3.7.11 so not possible to the RO user for them to login to our MySQL DB?.
But is it possible to create a local user(RO) for them to access our MySQL DB so that they can run some queries?.
Original Message:
Sent: 07-06-2020 03:11 AM
From: Catalin Farcasanu
Subject: MySQL DB scan to check the vulnerability in CA PM
1) Wrong. LDAP integration implies that you're able to login to CA PC using LDAP user and password. The SSO allows you, if correctly configured, to authenticate in other DataSources that might be registered in PC. This doesn't have anything to do with the MySQL password. CA PC users don't get created as MySQL users and they cannot access MySQL.
2) As Jeffrey pointed out earlier, that's an unsupported configuration. I cannot guarantee that whenever you'll have a problem, the support won't help you, cause you're using an unsupported installation.
You should test to see if you have problems with an installation that is using LDAP plugin to authenticate your specific user.
------------------------------
Senior Consultant
SolvIT Networks
Original Message:
Sent: 07-04-2020 11:51 PM
From: Shanmuga Sundaram MP
Subject: MySQL DB scan to check the vulnerability in CA PM
Jeffrey,
Thanks for the information. Here I have few doubts to be clarified.
1. Anyway we have LDAP integration with CA PC which will implies to MySQL correct? So any user in the AD will login to CA PC which is indirectly connect to the MySQL DB correct me if Iam wrong?
2. Also we are not going to install the Gaurdium tool all they need the RO user(AD integrated ) to check the MySQL DB vulnerability.
Appreciate your help!.
Thanks.
Original Message:
Sent: 06-29-2020 11:35 AM
From: JEFFREY PINARD
Subject: MySQL DB scan to check the vulnerability in CA PM
1. Sure, we don't have insight into what scanners our customers are using. Since it's only doing selects like other queries being run by application, it'll could be blocked temporarily by update/delete queries run during sync process.
2. We've never test ldap in mysql. As such, we don't support using an external authentication for DB accounts at this time. I don't know the side-effects of enabling it and how that would affect the accounts we use for the application. Also, upgrade logic in our installer for mysql is only setup to preserve my.cnf file config. So if there is anything else installed/enabled, it would need to be reapplied after each upgrade.
Original Message:
Sent: 06-29-2020 11:04 AM
From: Shanmuga Sundaram MP
Subject: MySQL DB scan to check the vulnerability in CA PM
Hi Jeffrey,
Thanks for the details. Eventhough it addressed and upgrade the MySQL by broadcom , but here we need to scan CA PC - MySQL DB on weekly basis by IBM Gaurdium tool using the service account user(which is AD integrated). So the question is
1. Can CAPC - MySQL be scanned by Gaurdium tool? any impact to our CA PM?
2. Scanning is through service account user which is AD integrated not the local user . if possible , how to do that?
Appreciate your help.
Thanks.
Original Message:
Sent: 06-29-2020 10:05 AM
From: JEFFREY PINARD
Subject: MySQL DB scan to check the vulnerability in CA PM
FYI - 3.7.11 is running MySql 5.7.24. We know it have CVEs and have a feature to upgrade it to latest 5.7 version in the next month or two.
To create a readonly user, log into mysql, and run:
grant select on netqosportal.* to 'read-only_user_name'@'%' identified by 'password';
flush privileges;
If you know the machine the scanner will come from, replace % with hostname or IP of the machine, to limit remote access.
Original Message:
Sent: 06-27-2020 10:44 AM
From: Shanmuga Sundaram MP
Subject: MySQL DB scan to check the vulnerability in CA PM
Hi,
We are running CA PM 3.7.11 on linux, the vulnerability team reached us and they need to scan the MySQL DB by IBM Gaurdium tool to check the database for known CVEs. So it is possible to for CA PM to scan the MySQL DB?. Also to do scan , they need DB user service account(Active Directory integrated user) with RO privileges.
Appreciate your help!.
Thanks.