LDAP Sasl/Kerberos

The LDAP Sasl/Kerberos connection method is supported as an LDAP authentication method for MySQL servers and MySQL Workbench on Linux only. Using the GSSAPI security abstraction interface, a connection of this type authenticates to Kerberos to obtain service credentials, then uses those credentials in turn to enable secure access to other services. A GSSAPI library and Kerberos services must be available to MySQL Server (see The GSSAPI/Kerberos Authentication Method).


If the Linux environment hosting MySQL Workbench has access to LDAP through Microsoft Active directory, then Kerberos is enabled by default.

MySQL Workbench provides the authentication_ldap_sasl_client client-side plugin to support this connection method. It is compatible with the authentication_ldap_sasl server-side plugin, which must be installed on the MySQL server hosting the connection (see Installing LDAP Pluggable Authentication). Also, the authentication_ldap_sasl_auth_method_name system variable must be set to use the GSSAPI method. For additional variables that can (or should) be configured when using the server-side plugin, see Configure the Server-Side SASL LDAP Authentication Plugin for GSSAPI/Kerberos.

Connection values for the LDAP Sasl/Kerberos connection method include:

Parameters Tab

  • Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the SASL LDAP plugin.

  • Port: The TCP/IP port number of the server host, such as 3306.

  • Username: User name of the Kerberos principal associated with the MySQL account. For LDAP Kerberos authentication, the user part of the account name includes the principal domain, so user@default_realm (for example, skylar@MYSQL.LOCAL) is the user name.

  • Password: Password of the Kerberos principal associated with the MySQL account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.

  • Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.


The SSL options for this connection method are the same as Standard TCP/IP (see SSL Tab).

Advanced Tab

The advanced options for this connection method are similar to Standard TCP/IP (see Advanced Tab), but also include the following options:

  • Path to plugin directory:

    An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.

  • Kerberos configuration path:

    Full path name to the Kerberos configuration information on Linux.

  • Kerberos credentials cache:

    Location of the Kerberos credentials (ticket) cache on Linux.