Ini pasti mungkin. Lihat di sini: //www.percona.com/blog/2017/04/21/how-to-setup-and-troubleshoot-percona-pam-with-ldap-for-external-authentication/
Di lingkungan saya, saya tidak mengatur Samba atau NSS/SSS dan saya tidak bergabung dengan domain windows. Saya hanya memperlakukan server AD sebagai titik akhir LDAP. Jadi saya mulai dari Langkah 9 ke arah di atas.
EDIT: Tambahkan instruksi dari tautan di atas seperti yang disarankan oleh AfroThundr
Instal plugin Percona PAM:
mysql> INSTALL PLUGIN auth_pam SONAME 'auth_pam.so'; Query OK, 0 rows affected (0.01 sec) mysql> INSTALL PLUGIN auth_pam_compat SONAME 'auth_pam_compat.so'; Query OK, 0 rows affected (0.00 sec)Konfigurasikan Percona PAM untuk mengautentikasi ke LDAP dengan membuat /etc/pam.d/mysqld dengan konten ini:
auth required pam_ldap.so account required pam_ldap.soBuat pengguna MySQL yang akan diautentikasi melalui auth_pam:
mysql> CREATE USER user@'%' IDENTIFIED WITH auth_pam; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON testdb.* TO user@'%'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec)Masuk sebagai pengguna ini dan periksa hibah:
Waspadalah juga terhadap AppArmor - ini akan memblokir upaya auth. Anda mungkin melihat pesan kesalahan yang menyesatkan di /var/log/auth.log:
Feb 12 13:37:36 mysqld[15164]: PAM _pam_init_handlers: no default config /etc/pam.d/other Feb 12 13:37:36 mysqld[15164]: PAM error reading PAM configuration file Feb 12 13:37:36 mysqld[15164]: PAM pam_start: failed to initialize handlersAnda perlu menambahkan yang berikut ke /etc/apparmor.d/local/usr.sbin.mysqld:
#include
dan muat ulang apparmor:
service apparmor restart
(Terima kasih kepada //bugs.launchpad.net/ubuntu/+source/squid/+bug/1608984 untuk membawa saya ke bagian AppArmor)
DataSunrise for Percona Server for MySQL is a software suite with the integrated Database Firewall, Data Audit, Dynamic and Static Data Masking, Sensitive Data Discovery and Regulatory Compliance Automation functionalities that give full flexibility to be tailored as per specific needs required by organization.
Supported Versions: 5.1 and higher
This software documentation is (C)2009-2018 Percona LLC and/or its affiliates and is distributed under the Creative Commons Attribution-ShareAlike 2.0 Generic license.
LDAP (Lightweight Directory Access Protocol) provides an alternative method to access existing directory servers, which maintain information about individuals, groups, and organizations.
Installation
To deploy the plugin, run the command below:
mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so';
The installation adds the variables below:
NameDescriptionDefaultMinimumMaximumScopeDynamicTypeauthentication_ldap_simple_bind_base_dnBase distinguished name (DN) globalYesstringauthentication_ldap_simple_bind_root_dnRoot distinguished name (DN) globalYesstringauthentication_ldap_simple_bind_root_pwdPassword for the root distinguished name globalYesstringauthentication_ldap_simple_ca_pathAbsolute path of the certificate authority file globalYesstringauthentication_ldap_simple_group_search_attrName of the attribute that specifies the group names in LDAP directory entriesCN globalYesstringauthentication_ldap_simple_group_search_filterCustom group search filter(|(&(objectClass=posixGroup)(memberUid={UA}))(&(objectClass=group)(member={UD}))) globalYesstringauthentication_ldap_simple_init_pool_sizeInitial size of the connection pool to the LDAP server10132767globalYesuintauthentication_ldap_simple_log_statusLogging level115globalYesuintauthentication_ldap_simple_max_pool_sizeMaximum size of the pool of connections to the LDAP server1000132767globalYesuintauthentication_ldap_simple_server_hostLDAP server host globalYesstringauthentication_ldap_simple_server_portLDAP server TCP/IP port number389165535globalYesuintauthentication_ldap_simple_sslAre connections by the plugin to the LDAP server using the SSL protocol (ldaps://)OFF globalYesboolauthentication_ldap_simple_tlsAre connections by the plugin to the LDAP server secured with STARTTTLS (ldap://)OFF globalYesboolauthentication_ldap_simple_user_search_attrName of the attribute that specifies user names in LDAP directory entriesuid globalYesstringFor simple LDAP authentication, you must specify the authentication_ldap_simple plugin in the CREATE USER statement or ALTER USER statement.
CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com'
Note
If you create a user is with the BY ‘cn,ou,dc,dc’, the variables below are not used: - authentication_ldap_simple_bind_base_dn - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' 0 - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' 1 - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' 2 - CREATE USER ... IDENTIFIED WITH authentication_ldap_simple; or CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' 3