MySQL Enterprise Edition supports authentication methods that enable MySQL Server to use LDAP (Lightweight Directory Access Protocol), LDAP with Kerberos, or native Kerberos to authenticate MySQL users. MySQL Shell 8.0.27 supports both LDAP and Kerberos authentication for classic MySQL protocol connections. This functionality is not supported for X Protocol connections.
The sections that follow describe how to enable connections to MySQL server using LDAP and Kerberos authentication. It is assumed that the server is running with the server-side plugin enabled and that the client-side plugin is available on the client host.
MySQL and LDAP work together to fetch user, credential, and group information. For an overview of the simple LDAP authentication process, see How LDAP Authentication of MySQL Users Works. To use simple LDAP authentication with MySQL Shell, the following conditions must be satisfied:
-
A user account must be created on the MySQL server that is set up to communicate with the LDAP server. The MySQL user must be identified with the
authentication_ldap_simple
server-side plugin and optionally the LDAP user distinguished name (DN). For example:CREATE USER 'admin'@'localhost' IDENTIFIED WITH authentication_ldap_simple BY 'uid=admin,ou=People,dc=my-domain,dc=com';
The
BY
clause in this example indicates which LDAP entry the MySQL account authenticates against. Specific attributes of the DN may vary depending on the LDAP server. MySQL Shell uses the client-side
mysql_clear_password
plugin, which sends the password to the server as cleartext. No password hashing or encryption is used, so a secure connection (using SSL or sockets) between the MySQL Shell and server is required. For more information, see Section 4.3.4, “Using Encrypted Connections” or Section 4.3.3, “Connecting using Unix Sockets and Windows Named Pipes”.-
To minimize the security risk, the
mysql_clear_password
plugin must be enabled explicitly by setting the value of the--auth-method
command-line option toclear_text_password
on a secure connection. For example, the following command permits you to establish a global session for the user created in the previous example:$> mysqlsh admin@localhost:3308 --auth-method=clear_text_password Please provide the password for 'admin@localhost:3308': admin_password (admin LDAP password)
NoteYou can also set the environment variable,
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN
, and enable themysql_clear_password
plugin for all client connections. However, this method is inherently insecure and is not recommended for any scenario other than testing. For more information, see Client-Side Cleartext Pluggable Authentication.
MySQL Server is able to accept connections from users defined outside the MySQL grant tables in LDAP directories. The client-side and server-side SASL LDAP plugins use SASL messages for secure transmission of credentials within the LDAP protocol (see Using LDAP Pluggable Authentication).
For SASL-based authentication, the MySQL user must be
identified with the
authentication_ldap_sasl
server-side plugin
and optionally an LDAP entry the MySQL account authenticates
against. For example:
CREATE USER 'sammy'@'localhost'
IDENTIFIED WITH authentication_ldap_sasl
BY 'uid=sammy_ldap,ou=People,dc=my-domain,dc=com';
The authentication_ldap_sasl_client
client-side plugin ships with the MySQL Server packages rather
than being built into the libmysqlclient
client library. MySQL Shell provides the persistent
connection option
shell.options.mysqlPluginDir
that enables
you to define where the required plugin is located.
Alternatively, you can override the persistent setting by
specifying a path with the non-persistent command-line option
--mysql-plugin-dir
. For
example, the following command permits you to establish a
global session on a Linux host for the user created in the
previous example:
$> mysqlsh sammy@localhost:3308 --mysql-plugin-dir="/usr/local/mysql/lib/plugin"
Please provide the password for 'sammy@localhost:3308': sammy_password (sammy_ldap LDAP password)
For additional usage examples, see LDAP Authentication with Proxying and LDAP Authentication Group Preference and Mapping Specification.
MySQL Shell also supports Kerberos authentication through LDAP SASL. Using the Generic Security Service Application Program Interface (GSSAPI) security abstraction interface, a connection of this type authenticates to Kerberos to obtain service credentials, then uses those credentials in turn to enable secure access to other services. GSSAPI/Kerberos is supported as an LDAP authentication method for MySQL servers and MySQL Shell on Linux only.
A GSSAPI library and Kerberos services must be available to MySQL Server for the connection to succeed. See The GSSAPI/Kerberos Authentication Method for server-side configuration information.
The following general example creates proxy user named
lucy@MYSQL.LOCAL
that assumes the
privileges of the proxied user named
proxied_krb_usr
. It presumes the realm
domain MYSQL.LOCAL
is configured in the
/etc/krb5.conf
Kerberos configuration
file.
The user part of the account name includes the principal domain, so 'lucy@MYSQL.LOCAL' is quoted as a single value for LDAP Kerberos authentication.
CREATE USER 'lucy@MYSQL.LOCAL'
IDENTIFIED WITH authentication_ldap_sasl
BY '#krb_grp=proxied_krb_user';
CREATE USER 'proxied_krb_user';
GRANT ALL PRIVILEGES ON my_db.* TO 'proxied_krb_user';
GRANT PROXY on 'proxied_krb_user' TO 'lucy@MYSQL.LOCAL';
The following command permits you to establish a global
session on a Linux host for the user created in the previous
example. You must specify the location of the server's plugin
directory, either as the persistent
shell.options.mysqlPluginDir
connection
option or as a non-persistent command option, for example:
$> mysqlsh lucy%40MYSQL.LOCAL:password@localhost:3308/my_db
--mysql-plugin-dir="/usr/local/mysql/lib/plugin"
In this example, percent encoding (%40
)
replaces the reserved @
character in the
principal name and password
is the
value set for the MySQL Server variable
authentication_ldap_sasl_bind_root_pwd
. For
the list of server variables related to Kerberos
authentication through LDAP SASL, see
Configure the Server-Side SASL LDAP Authentication Plugin for GSSAPI/Kerberos.
Prior to invoking MySQL Shell, you can obtain and cache a ticket-granting ticket from the key distribution center independently of MySQL. In this case, invoke MySQL Shell without specifying a user-name or password option:
$> mysqlsh localhost:3308/my_db --auth-method=authentication_ldap_sasl_client
--mysql-plugin-dir="/usr/local/mysql/lib/plugin"
Specifying the
--auth-method=authentication_ldap_sasl_client
option is mandatory when user credentials are omitted.
MySQL Shell is capable of establishing connections for
accounts that use the
authentication_kerberos
server-side
authentication plugin, provided that the correct Kerberos
tickets are available or can be obtained from Kerberos. As of
MySQL Enterprise Edition 8.0.27, that capability is available on hosts running
Linux and Windows (version 8.0.26 supports Linux only). For
detailed setup information, see
Kerberos Pluggable Authentication.
Kerberos authentication can combine the user name (for
example, lucy
) and the realm domain
specified in the user account (for example,
MYSQL.LOCAL
) to construct the user
principal name (UPN), such as
lucy@MYSQL.LOCAL
. To create a MySQL account
that corresponds to the UPN
lucy@MYSQL.LOCAL
, use this statement:
CREATE USER 'lucy'
IDENTIFIED WITH authentication_kerberos
BY 'MYSQL.LOCAL';
The client-side plugin uses the UPN and password to obtain a ticket-granting ticket (TGT), uses the TGT to obtain a MySQL service ticket (ST), and uses the ST to authenticate to the MySQL server.
The following command permits you to establish a global
session on a Linux host for the user created in the previous
example. You must specify the location of the server's plugin
directory, either as the persistent
shell.options.mysqlPluginDir
connection
option or as a non-persistent command option, for example:
$> mysqlsh lucy:3308 --mysql-plugin-dir="/usr/local/mysql/lib/plugin"
Please provide the password for 'lucy@localhost:3308': UPN_password
Prior to invoking MySQL Shell, you can obtain and cache a TGT from the key distribution center independently of MySQL. In this case, invoke MySQL Shell without specifying a user-name or password option:
$> mysqlsh localhost:3308 --auth-method=authentication_kerberos_client
--mysql-plugin-dir="/usr/local/mysql/lib/plugin"
Specifying the
--auth-method=authentication_kerberos_client
option is mandatory when user credentials are omitted.