LDAP Sasl/Kerberos connection method is
supported as an LDAP authentication method for MySQL servers and
MySQL Workbench on Linux only. Using the GSSAPI security abstraction
interface, a connection of this type authenticates to Kerberos
to obtain service credentials, then uses those credentials in
turn to enable secure access to other services. A GSSAPI library
and Kerberos services must be available to MySQL Server (see
The GSSAPI/Kerberos Authentication Method).
If the Linux environment hosting MySQL Workbench has access to LDAP through Microsoft Active directory, then Kerberos is enabled by default.
MySQL Workbench provides the
plugin to support this connection method. It is compatible with
plugin, which must be installed on the MySQL server hosting the
Installing LDAP Pluggable Authentication).
system variable must be set to use the
method. For additional variables that can (or should) be
configured when using the server-side plugin, see
Configure the Server-Side SASL LDAP Authentication Plugin for GSSAPI/Kerberos.
Connection values for the
connection method include:
Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the SASL LDAP plugin.
Port: The TCP/IP port number of the server host, such as 3306.
Username: User name of the Kerberos principal associated with the MySQL account. For LDAP Kerberos authentication, the user part of the account name includes the principal domain, so
skylar@MYSQL.LOCAL) is the user name.
Password: Password of the Kerberos principal associated with the MySQL account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.
Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.
The SSL options for this connection method are the same as
Standard TCP/IP (see
The advanced options for this connection method are similar to
Standard TCP/IP (see
Advanced Tab), but also include the
Path to plugin directory:
An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.
Kerberos configuration path:
Full path name to the Kerberos configuration information on Linux.
Kerberos credentials cache:
Location of the Kerberos credentials (ticket) cache on Linux.