Percona Server for MySQL 8.0.30-22 introduces several improvements for the LDAP plugin: SASL support, support for fallback servers, and support for LDAP-based authorization. All improvements are in technical preview.
A description of the existing plugin features and usage instructions are available in the earlier blog post introducing the LDAP simple plugin, and in the Percona Server for MySQL documentation.
SASL connections
We introduced a new plugin similar to the MySQL Enterprise authentication_ldap_sasl. This new plugin is configured the same way as the simple authentication plugin, but the “simple” in the variable names is changed to “sasl”. For example, the variable authentication_ldap_simple_server_host is called authentication_ldap_sasl_server_host.
On the client side, instead of the clear password plugin, the SASL authentication uses the authentication_ldap_sasl_client plugin, which means that the MySQL authentication is secure even without using an SSL connection between the MySQL server and MySQL client. While SASL supports multiple authentication mechanisms, the plugin currently only supports the SCRAM-SHA-1 mechanism.
Please note that while the MySQL authentication is secure even without using SSL, for SASL to work, the LDAP server has to store the password either in clear text or in a reversibly encrypted form, which is less secure than the default hashed form. Because of this, using the simple plugin with an SSL connection between the MySQL server and client should be preferred over the SASL plugin where possible.
Fallback server
Both the simple and SASL plugins support one or more fallback servers. This is implemented using two-two new variables:
- authentication_ldap_<simple/sasl>_fallback_server_host
- authentication_ldap_<simple/sasl>_fallback_server_port
By default the host variable is empty, and the port variable is 0, which doesn’t change the default behavior, where only a single server is used.
By setting the port to the port of the LDAP server, and the host to a hostname, similarly to the main server and port variables, the plugins also start using the fallback server: when the primary server becomes unavailable, the server will try to use the fallback server. If it works, it will keep using the fallback server.
The plugins internally use connection pooling, and they won’t try to switch back to the fallback server automatically. While new connections will try to connect to the primary server first, existing connections might keep using the fallback server for a time, even if the primary is available again.
Alternatively, if multiple fallback servers are needed, it is also possible to leave the port variable at 0, and specify multiple connection strings in the host variable in the form “ldap://host1:port1,ldap://host2:port,….”.
This way the server will try to use all hosts before giving up.
LDAP-based authorization
Percona Server for MySQL 8.0.30-22 introduces a new feature, which not only allows authenticating using LDAP but also assigns MySQL roles to users based on their LDAP groups.
This feature is controlled by a global system variable, authentication_ldap_<simple/sasl>_group_role_mapping. The variable by default is empty, which doesn’t change the existing behavior, users authenticating with LDAP won’t get any additional roles.
To enable the feature, LDAP group and MySQL role pairs can be specified in the format “ldap_group1=mysql_role1,ldap_group2=mysql_role2,…”.
When authenticating with LDAP, if a user is a member of the “ldap_group1” LDAP group, it will automatically get assigned the “mysql_role1” role and all permissions associated with it. Similarly, if the user is part of the “ldap_group2” LDAP group, it gets assigned to the “mysql_role2” role.
Because these roles depend on authentication, they will only show up in commands such as SHOW GRANTS after the user logged on to the server at least once. For the same reason, these roles can’t be removed with ALTER USER, since it would be misleading: the next login would give the role back to the user.
Percona Distribution for MySQL is the most complete, stable, scalable, and secure, open-source MySQL solution available, delivering enterprise-grade database environments for your most critical business applications… and it’s free to use!
Download Percona Distribution for MySQL Today
