MySQL Workbench Manual  /  ...  /  LDAP and Native Kerberos Connection Methods

5.3.4 LDAP and Native Kerberos Connection Methods

MySQL Enterprise Edition supports authentication methods that enable MySQL Server to use LDAP (Lightweight Directory Access Protocol), LDAP with Kerberos, or native Kerberos to authenticate MySQL users. MySQL Workbench 8.0.27 (and later) provides several connection methods that permit you to use LDAP and Kerberos authentication.

Note

The server-side LDAP and Kerberos authentication plugins are included only in MySQL Enterprise Edition. These server-side plugins are not included in MySQL community distributions. The client-side plugins are included in all MySQL Workbench distributions, including community distributions. This enables users from any MySQL Workbench distribution to connect to a server that has the server-side plugin loaded.

Although MySQL Workbench includes the client-side plugins in all distributions, specific support for LDAP and Kerberos authentication is platform dependent. For example, authentication is not supported when MySQL Workbench is running on macOS. The following table shows the platform support for each connection method.

Table 5.1 Connection Methods and Supported Platforms

Connection Method Windows Linux macOS
LDAP User/Password Supported Supported Not supported
LDAP Sasl/Kerberos Not supported Supported Not supported
Native Kerberos Supported Supported Not supported

In general, the following requirements must be satisfied to use LDAP or Kerberos pluggable authentication:

  • Server-side and client-side plugins need to be compatible, and the server-side plugin must be installed. To minimize the potential for incompatibilities, regularly upgrade the server and MySQL Workbench on a timely basis.

  • MySQL Enterprise Edition must be configured for the type of authentication protocol in use. Specific libraries, services, and servers that apply to each authentication method must be available to MySQL Server.

    Note

    MySQL Workbench restricts the use of SASL-based LDAP authentication to configurations using the Generic Security Service Application Program Interface (GSSAPI)/Kerberos authentication method. The exclusive use of SASL messages for secure transmission of credentials within the LDAP protocol is not supported.

  • A MySQL user account must be created or altered with syntax that specifies how the account authenticates. For example, to create an account for skylar using simple LDAP authentication (and the LDAP User/Password connection method), use a form of syntax similar to:

    CREATE USER 'skylar'@'localhost' 
      IDENTIFIED WITH authentication_ldap_simple 
      [BY 'LDAP user DN'];

    The BY clause in this example indicates which LDAP entry the MySQL account authenticates against. Specific attributes of the distinguished name (DN) may vary depending on the LDAP server.

To set up the client-side connection from MySQL Workbench:

  1. Click the manage connections icon () on the home screen to open the Manage Server Connections dialog.

  2. From the Connection tab, select the LDAP User/Password, LDAP Sasl/Kerberos, or Native Kerberos connection method from the list.

    Figure 5.16 Manage Server Connections - LDAP and Kerberos Authentication

    Content is described in the surrounding text.

With the server requirements satisfied, you can configure the parameters of the named connection from MySQL Workbench. The remainder of this section identifies the settings for each connection method.

LDAP User/Password

MySQL uses LDAP to fetch user, credential, and group information. MySQL Workbench users connect to the MySQL server by providing the MySQL user name and LDAP password.

The LDAP User/Password connection method supports simple LDAP authentication. The mysql_clear_password client-side plugin is compatible with the authentication_ldap_simple server-side plugin. MySQL Workbench enables the client-side mysql_clear_password authentication plugin explicitly for this connection method.

The server-side plugin must be loaded before you begin (see Installing LDAP Pluggable Authentication). For an overview of how LDAP authentication works with MySQL, see How LDAP Authentication of MySQL Users Works.

Connection values for the LDAP User/Password connection method include:

Parameters Tab

  • Hostname: The host name or IP address of the MySQL server that communicates with the LDAP server.

  • Username: User name of the account to be authenticated. LDAP users to be authenticated by MySQL must be present in the directory managed by the LDAP server.

  • Password: The LDAP password of the user account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.

  • Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.

SSL Tab

The SSL options for this connection method are the same as the options described in Section 5.3.1, “Standard TCP/IP Connection Method”. MySQL Workbench enables SSL by default.

LDAP Sasl/Kerberos

The LDAP Sasl/Kerberos connection method is supported as an LDAP authentication method for MySQL servers and MySQL Workbench on Linux only. Using the GSSAPI security abstraction interface, a connection of this type authenticates to Kerberos to obtain service credentials, then uses those credentials in turn to enable secure access to other services. A GSSAPI library and Kerberos services must be available to MySQL Server (see The GSSAPI/Kerberos Authentication Method).

Tip

If the Linux environment hosting MySQL Workbench has access to LDAP through Microsoft Active directory, then Kerberos is enabled by default.

MySQL Workbench provides the authentication_ldap_sasl_client client-side plugin to support this connection method. It is compatible with the authentication_ldap_sasl server-side plugin, which must be installed on the MySQL server hosting the connection (see Installing LDAP Pluggable Authentication). Also, the authentication_ldap_sasl_auth_method_name system variable must be set to use the GSSAPI method. For additional variables that can (or should) be configured when using the server-side plugin, see Configure the Server-Side SASL LDAP Authentication Plugin for GSSAPI/Kerberos.

Connection values for the LDAP Sasl/Kerberos connection method include:

Parameters Tab

  • Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the SASL LDAP plugin.

  • Username: User name of the Kerberos principal associated with the MySQL account. For LDAP Kerberos authentication, the user part of the account name includes the principal domain, so user@default_realm (for example, skylar@MYSQL.LOCAL) is the user name.

  • Password: Password of the Kerberos principal associated with the MySQL account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.

  • Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.

SSL Tab

The SSL options for this connection method are the same as the options described in Section 5.3.1, “Standard TCP/IP Connection Method”. MySQL Workbench enables SSL by default.

Advanced Tab

The Path to plugin directory option enables you to specify an alternative path to the client-side plugin. An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.

Native Kerberos

The Native Kerberos connections method authenticates a MySQL user with authentication tokens generated by the kinit command. Using this connection method, MySQL Workbench and MySQL servers are able to use the Kerberos authentication protocol to mutually authenticate users and MySQL services. This way both the user and the server are able to verify each other's identity. No passwords are sent over the network and Kerberos protocol messages are protected against eavesdropping and replay attacks.

MySQL Workbench provides the authentication_kerberos_client client-side plugin to support this connection method. It is compatible with the authentication_kerberos server-side plugin, which must be installed and loaded on the MySQL server hosting the connection (see Installing Kerberos Pluggable Authentication).

For server configuration setup details and an operational overview of Kerberos authentication, see:

Connection values for the Native Kerberos connection method include:

Parameters Tab

  • Hostname: The host name or IP address of the MySQL server with an account that has the Kerberos principal name as the user name and that authenticates using the Kerberos plugin.

  • Username: User name associated with the MySQL account.

    The client-side Kerberos authentication plugin combines the user name you provide (for example, skylar) and the realm specified in the user account (for example, MYSQL.LOCAL) to construct the user principal name (UPN), such as skylar@MYSQL.LOCAL. The client-side plugin uses the UPN and password to obtain a ticket-granting ticket (TGT), uses the TGT to obtain a MySQL service ticket (ST), and uses the ST to authenticate to the MySQL server.

  • Password: Password associated with the MySQL account. If you enter no password here, you are prompted to enter the password when MySQL Workbench attempts to establish the connection. MySQL Workbench can store the password in a vault.

    Note

    If the kinit command is used to authenticate a Kerberos principal name (outside of MySQL Workbench), MySQL Workbench authorizes the user without checking (or prompting) for a password. This behavior applies even when the password is stored in a vault.

  • Default Schema: When the connection to the server is established, this option sets the schema that becomes the default schema for use in other parts of MySQL Workbench. For simplicity, you can leave the default schema value blank during the initial setup and set the default value later, if needed.

SSL Tab

The SSL options for this connection method are the same as the options described in Section 5.3.1, “Standard TCP/IP Connection Method”. MySQL Workbench enables SSL by default.

Advanced Tab

The Path to plugin directory option enables you to specify an alternative path to the client-side plugin. An alternative path might be necessary to ensure that the client-side and server-side plugins remain compatible.