MySQL Enterprise Edition supports authentication methods that enable MySQL Server to use LDAP (Lightweight Directory Access Protocol), LDAP with Kerberos, or native Kerberos to authenticate MySQL users. MySQL Workbench 8.0.27 (and later) provides several connection methods that permit you to use LDAP and Kerberos authentication.
The server-side LDAP and Kerberos authentication plugins are included only in MySQL Enterprise Edition. These server-side plugins are not included in MySQL community distributions. The client-side plugins are included in all MySQL Workbench distributions, including community distributions. This enables users from any MySQL Workbench distribution to connect to a server that has the server-side plugin loaded.
Although MySQL Workbench includes the client-side plugins in all distributions, specific support for LDAP and Kerberos authentication is platform dependent. For example, authentication is not supported when MySQL Workbench is running on macOS. The following table shows the platform support for each connection method.
Table 5.1 Connection Methods and Supported Platforms
Connection Method | Windows | Linux | macOS |
---|---|---|---|
LDAP User/Password | Supported | Supported | Not supported |
LDAP Sasl/Kerberos | Not supported | Supported | Not supported |
Native Kerberos | Supported | Supported | Not supported |
In general, the following requirements must be satisfied to use LDAP or Kerberos pluggable authentication:
Server-side and client-side plugins need to be compatible, and the server-side plugin must be installed. To minimize the potential for incompatibilities, regularly upgrade the server and MySQL Workbench on a timely basis.
-
MySQL Enterprise Edition must be configured for the type of authentication protocol in use. Specific libraries, services, and servers that apply to each authentication method must be available to MySQL Server.
NoteMySQL Workbench restricts the use of SASL-based LDAP authentication to configurations using the Generic Security Service Application Program Interface (GSSAPI)/Kerberos authentication method. The exclusive use of SASL messages for secure transmission of credentials within the LDAP protocol is not supported.
-
A MySQL user account must be created or altered with syntax that specifies how the account authenticates. For example, to create an account for
skylar
using simple LDAP authentication (and the LDAP User/Password connection method), use a form of syntax similar to:CREATE USER 'skylar'@'localhost' IDENTIFIED WITH authentication_ldap_simple [BY 'LDAP user DN'];
The
BY
clause in this example indicates which LDAP entry the MySQL account authenticates against. Specific attributes of the distinguished name (DN) may vary depending on the LDAP server.
To set up the client-side connection from MySQL Workbench:
Click the manage connections icon (
) on the home screen to open the Manage Server Connections dialog.
-
From the Connection tab, select the LDAP User/Password, LDAP Sasl/Kerberos, or Native Kerberos connection method from the list.
With the server requirements satisfied, you can configure the parameters of the named connection from MySQL Workbench. The remainder of this section identifies the settings for each connection method.
MySQL uses LDAP to fetch user, credential, and group information. MySQL Workbench users connect to the MySQL server by providing the MySQL user name and LDAP password.
The LDAP User/Password
connection method
supports simple LDAP authentication. The
mysql_clear_password
client-side plugin is
compatible with the
authentication_ldap_simple
server-side
plugin. MySQL Workbench enables the client-side
mysql_clear_password
authentication plugin
explicitly for this connection method.
The server-side plugin must be loaded before you begin (see Installing LDAP Pluggable Authentication). For an overview of how LDAP authentication works with MySQL, see How LDAP Authentication of MySQL Users Works.
Connection values for the LDAP User/Password
connection method include:
Parameters Tab
Hostname: The host name or IP address of the MySQL server that communicates with the LDAP server.
Username: User name of the account to be authenticated. LDAP users to be authenticated by MySQL must be present in the directory managed by the LDAP server.
Password: The LDAP password of the user account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.
Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.
SSL Tab
The SSL options for this connection method are the same as the options described in Section 5.3.1, “Standard TCP/IP Connection Method”.
The client-side and server-side plugins for this connection method communicate the password as cleartext. No password hashing or encryption is used, so a secure connection between MySQL Workbench and the server is recommended to prevent password exposure.
The LDAP Sasl/Kerberos
connection method is
supported as an LDAP authentication method for MySQL servers and
MySQL Workbench on Linux only. Using the GSSAPI security abstraction
interface, a connection of this type authenticates to Kerberos
to obtain service credentials, then uses those credentials in
turn to enable secure access to other services. A GSSAPI library
and Kerberos services must be available to MySQL Server (see
The GSSAPI/Kerberos Authentication Method).
If the Linux environment hosting MySQL Workbench has access to LDAP through Microsoft Active directory, then Kerberos is enabled by default.
MySQL Workbench provides the
authentication_ldap_sasl_client
client-side
plugin to support this connection method. It is compatible with
the authentication_ldap_sasl
server-side
plugin, which must be installed on the MySQL server hosting the
connection (see
Installing LDAP Pluggable Authentication).
Also, the
authentication_ldap_sasl_auth_method_name
system variable must be set to use the GSSAPI
method. For additional variables that can (or should) be
configured when using the server-side plugin, see
Configure the Server-Side SASL LDAP Authentication Plugin for GSSAPI/Kerberos.
Connection values for the LDAP Sasl/Kerberos
connection method include:
Parameters Tab
Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the SASL LDAP plugin.
Username: User name of the Kerberos principal associated with the MySQL account. For LDAP Kerberos authentication, the user part of the account name includes the principal domain, so
user
@default_realm
(for example,skylar@MYSQL.LOCAL
) is the user name.Password: Password of the Kerberos principal associated with the MySQL account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.
Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.
SSL Tab
The SSL options for this connection method are the same as the options described in Section 5.3.1, “Standard TCP/IP Connection Method”.
Advanced Tab
The Path to plugin directory option enables you to specify an alternative path to the client-side plugin. An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.
The Native Kerberos
connections method
authenticates a MySQL user with authentication tokens generated
by the kinit
command. Using this connection
method, MySQL Workbench and MySQL servers are able to use the
Kerberos authentication protocol to mutually authenticate users
and MySQL services. This way both the user and the server are
able to verify each other's identity. No passwords are sent over
the network and Kerberos protocol messages are protected against
eavesdropping and replay attacks.
MySQL Workbench provides the
authentication_kerberos_client
client-side
plugin to support this connection method. It is compatible with
the authentication_kerberos
server-side
plugin, which must be installed and loaded on the MySQL server
hosting the connection (see
Installing Kerberos Pluggable Authentication).
For server configuration setup details and an operational overview of Kerberos authentication, see:
Connection values for the Native Kerberos
connection method include:
Parameters Tab
Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the Kerberos plugin.
-
Username: User name associated with the MySQL account.
The client-side Kerberos authentication plugin combines the user name you provide (for example,
skylar
) and the realm specified in the user account (for example,MYSQL.LOCAL
) to construct the user principal name (UPN), such asskylar@MYSQL.LOCAL
. The client-side plugin uses the UPN and password to obtain a ticket-granting ticket (TGT), uses the TGT to obtain a MySQL service ticket (ST), and uses the ST to authenticate to the MySQL server. -
Password: Password associated with the MySQL account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.
NoteIf the
kinit
command is used to authenticate a Kerberos principal name (outside of MySQL Workbench), MySQL Workbench authorizes the user without checking (or prompting) for a password. This behavior applies even when the password is stored in a vault. Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.
SSL Tab
The SSL options for this connection method are the same as the options described in Section 5.3.1, “Standard TCP/IP Connection Method”.
Advanced Tab
The Path to plugin directory option enables you to specify an alternative path to the client-side plugin. An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.