MySQL Enterprise Edition supports an authentication method that enables MySQL Server to use LDAP (Lightweight Directory Access Protocol) to authenticate MySQL users by accessing directory services such as X.500. MySQL uses LDAP to fetch user, credential, and group information.
The same user names, passwords and permissions can be used to enhance the security by leveraging existing AD rules for strong password enforcement, password expiry, etc.
LDAP authentication enables MySQL Server to accept connections from users defined outside the MySQL grant tables in LDAP directories.
Integrate existing AD to MySQL Enterprise hosted in Linux in 2 steps
- Microsoft AD or Azure AD.
- Sufficient privileges to create a AD user in Windows AD Domain Controller or Azure.
- Connectivity between Domain Controller (DC) to Linux Server. Appropriate TCP/UDP ports needs to be allowed, and whitelisted to Security Groups or Firewalls.
- ~ Windows AD DNS port: 53
- ~ Windows AD LDAP port: 389
- ~ MySQL Server port for Client: Default 3306.
- For this experiment, we used AD domain/forest as tessellpoc.com and user as <user_name>@tessellpoc.com for credentials.
For example below we have used Microsoft AD implementation from AWS Directory Services.
For creating a new AD in AWS please refer Active Directory – AWS Directory Service – AWS.
Enable/Install LDAP Client Libraries in Linux OS
- Install openldap Client Libraries in MySQL Server.
- Obtain AD Domain Controller Server IP address by login to AD Server.
- Test whether telnet is successful to DC (Port: 389) from MySQL Server.
- ~ Make a manual entry in /etc/hosts file in in MySQL Server if unable to resolve DNS
- Test ldap authentication by using
ldapsearchto AD Server.
~ ldapsearchusing SIMPLE authentication. For example below we have user
firstname.lastname@example.org in AD
Enable LDAP Server Side plugin in MySQL Enterprise
- MySQL supports two types of authentication methods using LDAP - LDAP Simple and LDAP SASL. We will demonstrate the use of LDAP Simple method due to its compatibility with Microsoft AD Server.
- Server side plugin file authentication_ldap_simple.so is already present with MySQL Enterprise software distribution under
<default installation path>/lib/plugin/
- ~ Modify or Add following Server side variables in
- Alternatively we can load the plugin at runtime using below steps.
- Check Plugin status
- Create MySQL User with same user name as AD user as below. You can repeat this for all the users to be added for accessing databases.
- ~ The Distinguished Name suffix you can obtain from AD Server using ldapsearch (example given above).
- ~ For
email@example.com have DN as
- Use MySQL Client to authenticate. Here we are using the MySQL client which resides in the MySQL Server.
- ~ For LDAP simple authentication configured with the use of server-side authentication_ldap_simple plugin, invoke client programs (mysql client) with the --enable-cleartext-plugin option to enable the client-side mysql_clear_password plugin. For example below:
We can now successfully integrate AD authentication using LDAP leveraging advanced security features and ease of user credential management using readily available plugins for MySQL Enterprise edition.