Cara menggunakan percona mysql ldap authentication

Ini pasti mungkin. Lihat di sini: https://www.percona.com/blog/2017/04/21/how-to-setup-and-troubleshoot-percona-pam-with-ldap-for-external-authentication/

Di lingkungan saya, saya tidak mengatur Samba atau NSS/SSS dan saya tidak bergabung dengan domain windows. Saya hanya memperlakukan server AD sebagai titik akhir LDAP. Jadi saya mulai dari Langkah 9 ke arah di atas.

EDIT: Tambahkan instruksi dari tautan di atas seperti yang disarankan oleh AfroThundr

Instal plugin Percona PAM:

mysql> INSTALL PLUGIN auth_pam SONAME 'auth_pam.so';
Query OK, 0 rows affected (0.01 sec)

mysql> INSTALL PLUGIN auth_pam_compat SONAME 'auth_pam_compat.so';
Query OK, 0 rows affected (0.00 sec)

Konfigurasikan Percona PAM untuk mengautentikasi ke LDAP dengan membuat /etc/pam.d/mysqld dengan konten ini:

auth required pam_ldap.so
account required pam_ldap.so

Buat pengguna MySQL yang akan diautentikasi melalui auth_pam:

mysql> CREATE USER user@'%' IDENTIFIED WITH auth_pam;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON testdb.* TO user@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

Masuk sebagai pengguna ini dan periksa hibah:

[root@ps-20 ~]# mysql -u user
Password: 
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 22
Server version: 5.7.17-13 Percona Server (GPL), Release 13, Revision fd33d43

Copyright (c) 2009-2016 Percona LLC and/or its affiliates
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> SHOW GRANTS;
+-----------------------------------------------------+
| Grants for user@%                                 |
+-----------------------------------------------------+
| GRANT USAGE ON *.* TO 'user'@'%'                  |
| GRANT ALL PRIVILEGES ON `testdb`.* TO 'user'@'%' |
+---------------------------------------------------

Waspadalah juga terhadap AppArmor - ini akan memblokir upaya auth. Anda mungkin melihat pesan kesalahan yang menyesatkan di /var/log/auth.log:

Feb 12 13:37:36 mysqld[15164]: PAM _pam_init_handlers: no default config /etc/pam.d/other
Feb 12 13:37:36 mysqld[15164]: PAM error reading PAM configuration file
Feb 12 13:37:36 mysqld[15164]: PAM pam_start: failed to initialize handlers

Anda perlu menambahkan yang berikut ke /etc/apparmor.d/local/usr.sbin.mysqld:

#include

dan muat ulang apparmor:

service apparmor restart

(Terima kasih kepada https://bugs.launchpad.net/ubuntu/+source/squid/+bug/1608984 untuk membawa saya ke bagian AppArmor)

DataSunrise for Percona Server for MySQL is a software suite with the integrated Database Firewall, Data Audit, Dynamic and Static Data Masking, Sensitive Data Discovery and Regulatory Compliance Automation functionalities that give full flexibility to be tailored as per specific needs required by organization.

Supported Versions: 5.1 and higher

This software documentation is (C)2009-2018 Percona LLC and/or its affiliates and is distributed under the Creative Commons Attribution-ShareAlike 2.0 Generic license.

LDAP (Lightweight Directory Access Protocol) provides an alternative method to access existing directory servers, which maintain information about individuals, groups, and organizations.

Installation

To deploy the plugin, run the command below:

mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so';

The installation adds the variables below:

For simple LDAP authentication, you must specify the authentication_ldap_simple plugin in the CREATE USER statement or ALTER USER statement.

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple;

or

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user
name],ou=[organization unit],dc=[domain component],dc=com'

Note

If you create a user is with the BY ‘cn,ou,dc,dc’, the variables below are not used: - authentication_ldap_simple_bind_base_dn -

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple;

or

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user
name],ou=[organization unit],dc=[domain component],dc=com'

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple;

or

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user
name],ou=[organization unit],dc=[domain component],dc=com'

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple;

or

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user
name],ou=[organization unit],dc=[domain component],dc=com'

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple;

or

CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user
name],ou=[organization unit],dc=[domain component],dc=com'