LDAP Authentication Plugin¶
This software documentation is (C)2009-2018 Percona LLC and/or its affiliates and is distributed under the Creative Commons Attribution-ShareAlike 2.0 Generic license.
LDAP (Lightweight Directory Access Protocol) provides an alternative method to access existing directory servers, which maintain information about individuals, groups, and organizations.
Installation
To deploy the plugin, run the command below:
mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so';
The installation adds the variables below:
| Name | Description | Default | Minimum | Maximum | Scope | Dynamic | Type |
|---|---|---|---|---|---|---|---|
| authentication_ldap_simple_bind_base_dn | Base distinguished name (DN) | global | Yes | string | |||
| authentication_ldap_simple_bind_root_dn | Root distinguished name (DN) | global | Yes | string | |||
| authentication_ldap_simple_bind_root_pwd | Password for the root distinguished name | global | Yes | string | |||
| authentication_ldap_simple_ca_path | Absolute path of the certificate authority file | global | Yes | string | |||
| authentication_ldap_simple_group_search_attr | Name of the attribute that specifies the group names in LDAP directory entries | CN | global | Yes | string | ||
| authentication_ldap_simple_group_search_filter | Custom group search filter | (|(&(objectClass=posixGroup)(memberUid={UA}))(&(objectClass=group)(member={UD}))) | global | Yes | string | ||
| authentication_ldap_simple_init_pool_size | Initial size of the connection pool to the LDAP server | 10 | 1 | 32767 | global | Yes | uint |
| authentication_ldap_simple_log_status | Logging level | 1 | 1 | 5 | global | Yes | uint |
| authentication_ldap_simple_max_pool_size | Maximum size of the pool of connections to the LDAP server | 1000 | 1 | 32767 | global | Yes | uint |
| authentication_ldap_simple_server_host | LDAP server host | global | Yes | string | |||
| authentication_ldap_simple_server_port | LDAP server TCP/IP port number | 389 | 1 | 65535 | global | Yes | uint |
| authentication_ldap_simple_ssl | Are connections by the plugin to the LDAP server using the SSL protocol (ldaps://) | OFF | global | Yes | bool | ||
| authentication_ldap_simple_tls | Are connections by the plugin to the LDAP server secured with STARTTTLS (ldap://) | OFF | global | Yes | bool | ||
| authentication_ldap_simple_user_search_attr | Name of the attribute that specifies user names in LDAP directory entries | uid | global | Yes | string |
For simple LDAP authentication, you must specify the authentication_ldap_simple plugin in the CREATE USER statement or ALTER USER statement.
CREATE USER ... IDENTIFIED WITH authentication_ldap_simple;
or
CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user
name],ou=[organization unit],dc=[domain component],dc=com'
Note
If you create a user is with the BY ‘cn,ou,dc,dc’, the variables below are not used:
- authentication_ldap_simple_bind_base_dn
- authentication_ldap_simple_bind_root_dn
- authentication_ldap_simple_bind_root_pwd
- authentication_ldap_simple_user_search_attr
- authentication_ldap_simple_group_search_attr
If you create a user with IDENTIFIED BY authentication_ldap_simple, the variables are used.
If a MySQL user test1 has the following entry in the LDAP directory:
uid=test1, ou=users, dc=hr, dc=com
To create a MySQL account for test1, use the following statement:
.. code-block:: console
CREATE USER ‘test1’@’localhost’ IDENTIFIED WITH authentication_ldap_simple AS ‘uid=test1,ou=users,dc=hr,dc=com’;
Note
For security reasons, the plugin requires sending the password in clear text.
Uninstallation
To uninstall the plugin, run the command below:
mysql> UNINSTALL PLUGIN authentication_ldap_simple;
Related Documents
