MySQL Forums
Forum List  »  Security

Re: ldap simple auth users and group
Posted by: Yashwant Sahu
Date: July 09, 2018 07:33AM

Hi Andrea,

Thanks for using LDAP authentication.

Please follow these steps:
1. Create generic user that uses LDAP authentication plug-in and with generic user DN
CREATE USER ''@'%' IDENTIFIED WITH 'authentication_ldap_simple' BY "+ou=People,dc=my-domain,dc=com";

For example for user DN
"uid=admin,ou=People,dc=my-domain,dc=com"
generic user DN is:
"+ou=People,dc=my-domain,dc=com"
Prefix of user DN is constructed using authentication_ldap_sasl_user_search_attr and user name, default is "uid".
Like in above case we need to change user search attribute to "CN", so please change according to your setup.

2. Create group proxy user:
CREATE USER 'testgrp'@'localhost';
"testgrp" is intended group name for authentication.

3. Give privileges to group,
GRANT ALL PRIVILEGES ON *.* TO 'testgrp'@'localhost';

4. Give proxy access to all the users:
GRANT PROXY ON 'testgrp'@'localhost' TO ''@'%';

Please follow these 2 next steps if your group object has information about users via some attribute.
if not we need to configure it differently. Please let me know if this is the case I will add those as well.:

5. Please make sure, If your group is search-able using default search filter or else you need to configure it correctly.
default search filter is
This default works for Active directory and openldap.

--authentication_ldap_sasl_group_search_filter
"(|(&(objectClass=posixGroup)(memberUid={UA}))(&(objectClass=group)(member={UD})))"
so basically here we need to give group object class name and attribute name that holds user information.

Here {UA} will be replaced with user name like testuser
and {UD} will be replaced with user full DN

6. Please check if group search attribute is correctly configured:
--authentication_ldap_simple_group_search_attr.
default is "cn"

Basically this is the attribute name in LDAP group object and its value will be treated as group name.

Example for group testgrp:
# testgrp, Users, ad2016.local
dn: CN=testgrp,CN=Users,DC=ad2016,DC=local
objectClass: top
objectClass: group << Object class name that has group information>>
<< cn: testgrp >>> --authentication_ldap_simple_group_search_attr should be CN.
member: CN=test3,CN=Users,DC=ad2016,DC=local << member attribute has user information and that is user FULL DN >>

Kind Regards
Yash

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: ldap simple auth users and group
1174
July 09, 2018 07:33AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.