Ini pasti mungkin. Lihat di sini: https://www.percona.com/blog/2017/04/21/how-to-setup-and-troubleshoot-percona-pam-with-ldap-for-external-authentication/ Di lingkungan saya, saya tidak mengatur Samba atau NSS/SSS dan saya tidak bergabung dengan domain windows. Saya hanya memperlakukan server AD sebagai titik akhir LDAP. Jadi saya mulai dari Langkah 9 ke arah di atas. EDIT: Tambahkan instruksi dari tautan di atas seperti yang disarankan oleh AfroThundr Instal plugin Percona PAM:
Konfigurasikan Percona PAM untuk mengautentikasi ke LDAP dengan membuat /etc/pam.d/mysqld dengan konten ini:
Buat pengguna MySQL yang akan diautentikasi melalui auth_pam:
Masuk sebagai pengguna ini dan periksa hibah:
Waspadalah juga terhadap AppArmor - ini akan memblokir upaya auth. Anda mungkin melihat pesan kesalahan yang menyesatkan di
Anda perlu menambahkan yang berikut ke
dan muat ulang apparmor:
(Terima kasih kepada https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1608984 untuk membawa saya ke bagian AppArmor) DataSunrise for Percona Server for MySQL is a software suite with the integrated Database Firewall, Data Audit, Dynamic and Static Data Masking, Sensitive Data Discovery and Regulatory Compliance Automation functionalities that give full flexibility to be tailored as per specific needs required by organization. Supported Versions: 5.1 and higher This software documentation is (C)2009-2018 Percona LLC and/or its affiliates and is distributed under the Creative Commons Attribution-ShareAlike 2.0 Generic license. LDAP (Lightweight Directory Access Protocol) provides an alternative method to access existing directory servers, which maintain information about individuals, groups, and organizations. Installation To deploy the plugin, run the command below: mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so';
The installation adds the variables below: NameDescriptionDefaultMinimumMaximumScopeDynamicTypeauthentication_ldap_simple_bind_base_dnBase distinguished name (DN) globalYesstringauthentication_ldap_simple_bind_root_dnRoot distinguished name (DN) globalYesstringauthentication_ldap_simple_bind_root_pwdPassword for the root distinguished name globalYesstringauthentication_ldap_simple_ca_pathAbsolute path of the certificate authority file globalYesstringauthentication_ldap_simple_group_search_attrName of the attribute that specifies the group names in LDAP directory entriesCN globalYesstringauthentication_ldap_simple_group_search_filterCustom group search filter(|(&(objectClass=posixGroup)(memberUid={UA}))(&(objectClass=group)(member={UD}))) globalYesstringauthentication_ldap_simple_init_pool_sizeInitial size of the connection pool to the LDAP server10132767globalYesuintauthentication_ldap_simple_log_statusLogging level115globalYesuintauthentication_ldap_simple_max_pool_sizeMaximum size of the pool of connections to the LDAP server1000132767globalYesuintauthentication_ldap_simple_server_hostLDAP server host globalYesstringauthentication_ldap_simple_server_portLDAP server TCP/IP port number389165535globalYesuintauthentication_ldap_simple_sslAre connections by the plugin to the LDAP server using the SSL protocol (ldaps://)OFF globalYesboolauthentication_ldap_simple_tlsAre connections by the plugin to the LDAP server secured with STARTTTLS (ldap://)OFF globalYesboolauthentication_ldap_simple_user_search_attrName of the attribute that specifies user names in LDAP directory entriesuid globalYesstringFor simple LDAP authentication, you must specify the CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' Note If you create a user is with the CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com'0 - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com'1 - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com'2 - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com'3 |