Home / server / Questions / 391942
Accepted
Stefan Lasiewski
Asked: 2012-05-24 09:45:42 +0800 CST

Use LDAP for MySQL authentication?

  • 772

We run a couple dozen different MySQL servers for our users. These use the free/Open Source version of MySQL, not the commercial version. Managing the Account Passwords on these servers is painful.

Are there any plugins which would allow us to use LDAP to help manage the MySQL privileges? At the very least, we would like to obtain some usernames and passwords from the LDAP servers.

We are using MySQL 5.1 and 5.5. We might be willing to upgrade to MySQL 5.6 if that is required to achieve this functionality.

We would prefer that any tools be CLI based and not require a GUI or web interface.

mysql authentication ldap

7 Answers

  1. Best Answer

    Enterprise MySQL (the version you pay Oracle to license) has a PAM module that allows for LDAP authentication: https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-authentication.html

    MariaDB (a binary compatible version of MySQL developed by Monty) has an open source PAM module available for it: http://kb.askmonty.org/en/pam-authentication-plugin/

    I do not have hands on experience with either - I present them only as features I have heard of but not tested or used myself.

    • 15

  2. You can use the auth_ldap plugin provided by Infoscope Hellas L.P. under GPL.

    It can be downloaded from sourceforge here.

    (Homepage)

    The plugin is still a Beta and works only for UNIX installations.

    • 8

  3. A Mysql proxy can enable this for you using roles. More detail can be found here: https://stackoverflow.com/questions/1329963/using-ldap-ad-for-mysql-authenication and here: http://jan.kneschke.de/2009/6/25/mysql-proxy-roles/

    • 6

  4. MySQL has a PAM authentication plugin that will let you use any available PAM module to provide authentication services. There is a pam_ldap module that is relatively easy to configure that should allow you to do what you want.

    The plugin documentation includes an example using LDAP.

    • 5

  5. I have published in my blog, an full example (with source code) of a LDAP Authentication plugin for MySQL.

    http://nafiux.com/blog/2012/08/11/mysql-ldap-authentication-plugin/

    • 2

  6. You can migrate your instalations to Percona Server and use one of this two ways to connect MySQL to LDAP by PAM:

    • Full PAM plugin called auth_pam. This plugin uses dialog.so. It fully supports the PAM protocol with arbitrary communication between client and server.

    • Oracle-compatible PAM called auth_pam_compat. This plugin uses mysql_clear_password which is a part of Oracle MySQL client. It also has some limitations, such as, it supports only one password input. You must use “-p” option in order to pass the password to auth_pam_compat.

    http://www.percona.com/doc/percona-pam-for-mysql/intro.html

    We are using auth_pam_compat but you have to remember that client has to support Cleartext Client-Side Authentication Plugin

    • 2

  7. After some research, I can suggest this:

    https://www.percona.com/doc/percona-server/LATEST/management/pam_plugin.html

    Percona PAM Authentication Plugin is a free and Open Source implementation of the MySQL‘s authentication plugin. This plugin acts as a mediator between the MySQL server, the MySQL client, and the PAM stack. The server plugin requests authentication from the PAM stack, forwards any requests and messages from the PAM stack over the wire to the client (in cleartext) and reads back any replies for the PAM stack.

    It is NOT tested, and I have never worked with it, I wanted to suggest it as it may be good.

    • 1