These variables are unavailable unless the appropriate server-side plugin is installed:除非安装了相应的服务器端插件,否则这些变量不可用:
authentication_ldap_sasl for system variables with names of the form authentication_ldap_sasl_xxxauthentication_ldap_sasl用于具有authentication_ldap_sasl_xxx格式名称的系统变量
authentication_ldap_simple for system variables with names of the form authentication_ldap_simple_xxxauthentication_ldap_simple用于具有authentication_ldap_simple_xxx格式名称的系统变量
Table 6.23 Authentication Plugin System Variable Summary身份验证插件系统变量摘要
authentication_ldap_sasl_auth_method_name
--authentication-ldap-sasl-auth-method-name=value | |
authentication_ldap_sasl_auth_method_name | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
SCRAM-SHA-1 | |
| |
| |
SCRAM-SHA-1 |
For SASL LDAP authentication, the authentication method name. Communication between the authentication plugin and the LDAP server occurs according to this authentication method to ensure password security.对于SASL LDAP身份验证,身份验证方法名称。身份验证插件和LDAP服务器之间的通信根据此身份验证方法进行,以确保密码安全。
These authentication method values are permitted:允许使用以下身份验证方法值:
SCRAM-SHA-1: Use a SASL challenge-response mechanism.:使用SASL质询响应机制。
The client-side 客户端authentication_ldap_sasl_client plugin communicates with the SASL server, using the password to create a challenge and obtain a SASL request buffer, then passes this buffer to the server-side authentication_ldap_sasl plugin. authentication_ldap_sasl_client插件与SASL服务器通信,使用密码创建质询并获取SASL请求缓冲区,然后将此缓冲区传递给服务器端authentication_ldap_sasl插件。The client-side and server-side SASL LDAP plugins use SASL messages for secure transmission of credentials within the LDAP protocol, to avoid sending the cleartext password between the MySQL client and server.客户端和服务器端的SASL LDAP插件使用SASL消息在LDAP协议中安全传输凭据,以避免在MySQL客户端和服务器之间发送明文密码。
SCRAM-SHA-256: Use a SASL challenge-response mechanism.:使用SASL质询响应机制。
This method is similar to 这种方法类似于SCRAM-SHA-1, but is more secure. It is available in MySQL 8.0.23 and higher. It requires an OpenLDAP server built using Cyrus SASL 2.1.27 or higher.SCRAM-SHA-1,但更安全。它在MySQL 8.0.23及更高版本中可用。它需要使用Cyrus SASL 2.1.27或更高版本构建的OpenLDAP服务器。
GSSAPI: Use Kerberos, a passwordless and ticket-based protocol.:使用Kerberos,一种无密码和基于票证的协议。
GSSAPI/Kerberos is supported as an authentication method for MySQL clients and servers only on Linux. It is useful in Linux environments where applications access LDAP using Microsoft Active Directory, which has Kerberos enabled by default.GSSAPI/Kerberos仅在Linux上支持作为MySQL客户端和服务器的身份验证方法。在Linux环境中,当应用程序使用默认启用Kerberos的Microsoft 活动目录访问LDAP时,它非常有用。
The client-side 客户端authentication_ldap_sasl_client plugin obtains a service ticket using the ticket-granting ticket (TGT) from Kerberos, but does not use LDAP services directly. authentication_ldap_sasl_client插件使用Kerberos的票证授予票证(TGT)获得服务票证,但不直接使用ldap服务。The server-side 服务器端authentication_ldap_sasl plugin routes Kerberos messages between the client-side plugin and the LDAP server. authentication_ldap_sasl插件在客户端插件和ldap服务器之间路由Kerberos消息。Using the credentials thus obtained, the server-side plugin then communicates with the LDAP server to interpret LDAP authentication messages and retrieve LDAP groups.使用由此获得的凭据,服务器端插件然后与LDAP服务器通信,以解释LDAP身份验证消息并检索LDAP组。
authentication_ldap_sasl_bind_base_dn
--authentication-ldap-sasl-bind-base-dn=value | |
authentication_ldap_sasl_bind_base_dn | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For SASL LDAP authentication, the base distinguished name (DN). This variable can be used to limit the scope of searches by anchoring them at a certain location (the “base”) within the search tree.对于SASL LDAP身份验证,基本可分辨名称(DN)。此变量可用于通过将搜索锚定在搜索树中的某个位置(“基础”)来限制搜索范围。
Suppose that members of one set of LDAP user entries each have this form:假设一组LDAP用户条目的每个成员都有以下表单:
uid=user_name,ou=People,dc=example,dc=com
And that members of another set of LDAP user entries each have this form:另一组LDAP用户条目的成员均具有以下形式:
uid=user_name,ou=Admin,dc=example,dc=com
Then searches work like this for different base DN values:然后搜索不同的基本DN值:
If the base DN is 如果基本DN为ou=People,dc=example,dc=com: Searches find user entries only in the first set.ou=People,dc=example,dc=com:搜索仅在第一组中查找用户条目。
If the base DN is 如果基本DN为ou=Admin,dc=example,dc=com: Searches find user entries only in the second set.ou=Admin,dc=example,dc=com:搜索仅在第二组中查找用户条目。
If the base DN is 如果基本DN为ou=dc=example,dc=com: Searches find user entries in the first or second set.ou=dc=example,dc=com:搜索在第一组或第二组中查找用户条目。
In general, more specific base DN values result in faster searches because they limit the search scope more.一般来说,更具体的基DN值会导致更快的搜索,因为它们会更多地限制搜索范围。
authentication_ldap_sasl_bind_root_dn
--authentication-ldap-sasl-bind-root-dn=value | |
authentication_ldap_sasl_bind_root_dn | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For SASL LDAP authentication, the root distinguished name (DN). This variable is used in conjunction with 对于SASL LDAP身份验证,根可分辨名称(DN)。此变量与authentication_ldap_sasl_bind_root_pwd as the credentials for authenticating to the LDAP server for the purpose of performing searches. authentication_ldap_sasl_bind_root_pwd结合使用,作为向LDAP服务器进行身份验证的凭据,以执行搜索。Authentication uses either one or two LDAP bind operations, depending on whether the MySQL account names an LDAP user DN:身份验证使用一个或两个LDAP绑定操作,具体取决于MySQL帐户是否命名LDAP用户DN:
If the account does not name a user DN: 如果帐户没有命名用户DN:authentication_ldap_sasl performs an initial LDAP binding using authentication_ldap_sasl_bind_root_dn and authentication_ldap_sasl_bind_root_pwd. authentication_ldap_sasl使用authentication_ldap_sasl_bind_root_dn和authentication_ldap_sasl_bind_root_pwd执行初始ldap绑定。(These are both empty by default, so if they are not set, the LDAP server must permit anonymous connections.) (默认情况下,这两个都是空的,因此如果没有设置,LDAP服务器必须允许匿名连接。)The resulting bind LDAP handle is used to search for the user DN, based on the client user name. 生成的绑定LDAP句柄用于根据客户端用户名搜索用户DN。authentication_ldap_sasl performs a second bind using the user DN and client-supplied password.authentication_ldap_sasl使用用户DN和客户端提供的密码执行第二次绑定。
If the account does name a user DN: The first bind operation is unnecessary in this case. 如果帐户确实命名了用户DN:在这种情况下,第一次绑定操作是不必要的。authentication_ldap_sasl performs a single bind using the user DN and client-supplied password. This is faster than if the MySQL account does not specify an LDAP user DN.authentication_ldap_sasl使用用户DN和客户端提供的密码执行单个绑定。这比MySQL帐户不指定LDAP用户DN的情况更快。
authentication_ldap_sasl_bind_root_pwd
--authentication-ldap-sasl-bind-root-pwd=value | |
authentication_ldap_sasl_bind_root_pwd | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For SASL LDAP authentication, the password for the root distinguished name. 对于SASL LDAP身份验证,根可分辨名称的密码。This variable is used in conjunction with 此变量与authentication_ldap_sasl_bind_root_dn. authentication_ldap_sasl_bind_root_dn结合使用。See the description of that variable.请参阅该变量的描述。
authentication_ldap_sasl_ca_path
--authentication-ldap-sasl-ca-path=value | |
authentication_ldap_sasl_ca_path | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For SASL LDAP authentication, the absolute path of the certificate authority file. Specify this file if it is desired that the authentication plugin perform verification of the LDAP server certificate.对于SASL LDAP身份验证,证书颁发机构文件的绝对路径。如果希望身份验证插件执行LDAP服务器证书的验证,请指定此文件。
In addition to setting the 除了将authentication_ldap_sasl_ca_path variable to the file name, you must add the appropriate certificate authority certificates to the file and enable the authentication_ldap_sasl_tls system variable. authentication_ldap_sasl_ca_path变量设置为文件名外,您还必须将适当的证书颁发机构证书添加到文件中,并启用authentication_ldap_sasl_tls系统变量。These variables can be set to override the default OpenLDAP TLS configuration; see LDAP Pluggable Authentication and ldap.conf这些变量可以设置为覆盖默认的OpenLDAP TLS配置;请参阅LDAP可插拔身份验证和ldap.conf
authentication_ldap_sasl_group_search_attr
--authentication-ldap-sasl-group-search-attr=value | |
authentication_ldap_sasl_group_search_attr | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
cn |
For SASL LDAP authentication, the name of the attribute that specifies group names in LDAP directory entries. 对于SASL LDAP身份验证,在LDAP目录条目中指定组名的属性的名称。If 如果authentication_ldap_sasl_group_search_attr has its default value of cn, searches return the cn value as the group name. authentication_ldap_sasl_group_search_attr的默认值为cn,则搜索将返回cn值作为组名。For example, if an LDAP entry with a 例如,如果uid value of user1 has a cn attribute of mygroup, searches for user1 return mygroup as the group name.uid值为user1的LDAP条目具有mygroup的cn属性,则搜索user1会返回mygroup作为组名。
This variable should be the empty string if you want no group or proxy authentication.如果不希望进行组或代理身份验证,则此变量应为空字符串。
If the group search attribute is 如果组搜索属性为isMemberOf, LDAP authentication directly retrieves the user attribute isMemberOf value and assigns it as group information. isMemberOf,LDAP身份验证将直接检索用户属性isMemberOf值并将其分配为组信息。If the group search attribute is not 如果组搜索属性不是isMemberOf, LDAP authentication searches for all groups where the user is a member. (The latter is the default behavior.) isMemberOf,LDAP身份验证将搜索用户为成员的所有组。(后者是默认行为。)This behavior is based on how LDAP group information can be stored two ways: 1) A group entry can have an attribute named 此行为基于LDAP组信息如何以两种方式存储:1)组条目可以具有名为memberUid or member with a value that is a user name; 2) A user entry can have an attribute named isMemberOf with values that are group names.memberUid的属性或具有用户名值的成员;2)用户条目可以有一个名为isMemberOf的属性,其值为组名。
authentication_ldap_sasl_group_search_filter
--authentication-ldap-sasl-group-search-filter=value | |
authentication_ldap_sasl_group_search_filter | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
(|(&(objectClass=posixGroup)(memberUid=%s))(&(objectClass=group)(member=%s))) |
For SASL LDAP authentication, the custom group search filter.对于SASL LDAP身份验证,自定义组搜索筛选器。
The search filter value can contain 搜索筛选器值可以包含{UA} and {UD} notation to represent the user name and the full user DN. {UA}和{UD}表示法,以表示用户名和完整用户DN。For example, 例如,{UA} is replaced with a user name such as "admin", whereas {UD} is replaced with a use full DN such as "uid=admin,ou=People,dc=example,dc=com". {UA}被替换为用户名,如"admin",而{UD}则被替换为使用完整DN,如"uid=admin,ou=People,dc=example,dc=com"。The following value is the default, which supports both OpenLDAP and Active Directory:以下值为默认值,同时支持OpenLDAP和活动目录:
(|(&(objectClass=posixGroup)(memberUid={UA}))
(&(objectClass=group)(member={UD})))
In some cases for the user scenario, 在某些用户场景中,memberOf is a simple user attribute that holds no group information. memberOf是一个简单的用户属性,不包含任何组信息。For additional flexibility, an optional 为了增加灵活性,可以在组搜索属性中使用可选的{GA} prefix can be used with the group search attribute. {GA}前缀。Any group attribute with a {GA} prefix is treated as a user attribute having group names. 任何带有{GA}前缀的组属性都被视为具有组名的用户属性。For example, with a value of 例如,如果值为{GA}MemberOf, if the group value is the DN, the first attribute value from the group DN is returned as the group name.{GA}MemberOf,如果组值是DN,则返回组DN中的第一个属性值作为组名。
authentication_ldap_sasl_init_pool_size
--authentication-ldap-sasl-init-pool-size=# | |
authentication_ldap_sasl_init_pool_size | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
10 | |
| Minimum Value | 0 |
| Maximum Value | 32767 |
For SASL LDAP authentication, the initial size of the pool of connections to the LDAP server. Choose the value for this variable based on the average number of concurrent authentication requests to the LDAP server.对于SASL LDAP身份验证,LDAP服务器连接池的初始大小。根据对LDAP服务器的并发身份验证请求的平均数量选择此变量的值。
The plugin uses 该插件同时使用authentication_ldap_sasl_init_pool_size and authentication_ldap_sasl_max_pool_size together for connection-pool management:authentication_ldap_sasl_init_pool_size和authentication_ldap_sasl_max_pool_size:
When the authentication plugin initializes, it creates 当身份验证插件初始化时,它会创建authentication_ldap_sasl_init_pool_size connections, unless authentication_ldap_sasl_max_pool_size=0 to disable pooling.authentication_ldap_sasl_init_pool_size连接,除非authentication_ldap_sasl_max_pool_size=0禁用池。
If the plugin receives an anthentication request when there are no free connections in the current connection pool, the plugin can create a new connection, up to the maximum connection pool size given by 如果插件在当前连接池中没有空闲连接时收到停用请求,则插件可以创建新连接,最大连接池大小由authentication_ldap_sasl_max_pool_size.authentication_ldap_sasl_max_pool_size给出。
If the plugin receives a request when the pool size is already at its maximum and there are no free connections, authentication fails.如果插件在池大小已经达到最大值并且没有空闲连接时收到请求,则身份验证失败。
When the plugin unloads, it closes all pooled connections.当插件卸载时,它会关闭所有池连接。
Changes to plugin system variable settings may have no effect on connections already in the pool. For example, modifying the LDAP server host, port, or TLS settings does not affect existing connections. 对插件系统变量设置的更改可能不会对池中已有的连接产生影响。例如,修改LDAP服务器主机、端口或TLS设置不会影响现有连接。However, if the original variable values were invalid and the connection pool could not be initialized, the plugin attempts to reinitialize the pool for the next LDAP request. 但是,如果原始变量值无效并且无法初始化连接池,则插件会尝试为下一个LDAP请求重新初始化池。In this case, the new system variable values are used for the reinitialization attempt.在这种情况下,新的系统变量值用于重新初始化尝试。
If 如果authentication_ldap_sasl_max_pool_size=0 to disable pooling, each LDAP connection opened by the plugin uses the values the system variables have at that time.authentication_ldap_sasl_max_pool_size=0以禁用池化,则插件打开的每个ldap连接都使用系统变量当时的值。
authentication_ldap_sasl_log_status
--authentication-ldap-sasl-log-status=# | |
authentication_ldap_sasl_log_status | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
1 | |
| Minimum Value | 1 |
| Maximum Value (≥ 8.0.18) | 6 |
| Maximum Value (≤ 8.0.17) | 5 |
For SASL LDAP authentication, the logging level for messages written to the error log. The following table shows the permitted level values and their meanings.对于SASL LDAP身份验证,写入错误日志的消息的日志级别。下表显示了允许的级别值及其含义。
Table 6.24 Log Levels for authentication_ldap_sasl_log_statusauthentication_ldap_sasl_log_status的日志级别
1 | |
2 | |
3 | |
4 | |
5 | |
6 |
Log level 6 is available as of MySQL 8.0.18.MySQL 8.0.18提供日志级别6。
On the client side, messages can be logged to the standard output by setting the 在客户端,通过设置AUTHENTICATION_LDAP_CLIENT_LOG environment variable. AUTHENTICATION_LDAP_CLIENT_LOG环境变量,可以将消息记录到标准输出中。The permitted and default values are the same as for 允许值和默认值与authentication_ldap_sasl_log_status.authentication_ldap_sasl_log_status相同。
The AUTHENTICATION_LDAP_CLIENT_LOG environment variable applies only to SASL LDAP authentication. AUTHENTION_LDAP_CLIENT_LOG环境变量仅适用于SASL LDAP身份验证。It has no effect for simple LDAP authentication because the client plugin in that case is 它对简单的LDAP身份验证没有影响,因为在这种情况下,客户端插件是mysql_clear_password, which knows nothing about LDAP operations.mysql_clear_password,它对LDAP操作一无所知。
authentication_ldap_sasl_max_pool_size
--authentication-ldap-sasl-max-pool-size=# | |
authentication_ldap_sasl_max_pool_size | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
1000 | |
| Minimum Value | 0 |
| Maximum Value | 32767 |
For SASL LDAP authentication, the maximum size of the pool of connections to the LDAP server. To disable connection pooling, set this variable to 0.对于SASL LDAP身份验证,指向LDAP服务器的连接池的最大大小。要禁用连接池,请将此变量设置为0。
This variable is used in conjunction with 此变量与authentication_ldap_sasl_init_pool_size. See the description of that variable.authentication_ldap_sasl_init_pool_size结合使用。请参阅该变量的描述。
authentication_ldap_sasl_referral
--authentication-ldap-sasl-referral[={OFF|ON}] | |
| Introduced | 8.0.20 |
authentication_ldap_sasl_referral | |
| Global | |
| Yes | |
SET_VAR | No |
| Boolean | |
OFF |
For SASL LDAP authentication, whether to enable LDAP search referral. See LDAP Search Referral.对于SASL LDAP身份验证,是否启用LDAP搜索引用。请参阅LDAP搜索引用。
This variable can be set to override the default OpenLDAP referral configuration; see LDAP Pluggable Authentication and ldap.conf此变量可以设置为覆盖默认的OpenLDAP引用配置;请参阅LDAP可插拔身份验证和ldap.conf。
authentication_ldap_sasl_server_host
--authentication-ldap-sasl-server-host=host_name | |
authentication_ldap_sasl_server_host | |
| Global | |
| Yes | |
SET_VAR | No |
| String |
For SASL LDAP authentication, the LDAP server host. The permitted values for this variable depend on the authentication method:对于SASL LDAP身份验证,LDAP服务器主机。此变量的允许值取决于身份验证方法:
For 对于authentication_ldap_sasl_auth_method_name=SCRAM-SHA-1: The LDAP server host can be a host name or IP address.authentication_ldap_sasl_auth_method_name=SCRAM-SHA-1:ldap服务器主机可以是主机名或IP地址。
For 对于authentication_ldap_sasl_auth_method_name=SCRAM-SHA-256: The LDAP server host can be a host name or IP address.authentication_ldap_sasl_auth_method_name=SCRAM-SHA-256:ldap服务器主机可以是主机名或IP地址。
authentication_ldap_sasl_server_port
--authentication-ldap-sasl-server-port=port_num | |
authentication_ldap_sasl_server_port | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
389 | |
| Minimum Value | 1 |
| Maximum Value | 32376 |
For SASL LDAP authentication, the LDAP server TCP/IP port number.对于SASL LDAP身份验证,LDAP服务器TCP/IP端口号。
As of MySQL 8.0.14, if the LDAP port number is configured as 636 or 3269, the plugin uses LDAPS (LDAP over SSL) instead of LDAP. (LDAPS differs from 从MySQL 8.0.14开始,如果LDAP端口号配置为636或3269,则该插件使用LDAPS(基于SSL的LDAP)而不是LDAP。(LDAPS不同于startTLS.)startTLS。)
--authentication-ldap-sasl-tls[={OFF|ON}] | |
authentication_ldap_sasl_tls | |
| Global | |
| Yes | |
SET_VAR | No |
| Boolean | |
OFF |
For SASL LDAP authentication, whether connections by the plugin to the LDAP server are secure. If this variable is enabled, the plugin uses TLS to connect securely to the LDAP server. 对于SASL LDAP身份验证,插件与LDAP服务器的连接是否安全。如果启用此变量,插件将使用TLS安全地连接到LDAP服务器。This variable can be set to override the default OpenLDAP TLS configuration; see LDAP Pluggable Authentication and ldap.conf 此变量可以设置为覆盖默认的OpenLDAP TLS配置;请参阅LDAP可插拔身份验证和ldap.conf。If you enable this variable, you may also wish to set the 如果启用此变量,您可能还希望设置authentication_ldap_sasl_ca_path variable.authentication_ldap_sasl_ca_path变量。
MySQL LDAP plugins support the StartTLS method, which initializes TLS on top of a plain LDAP connection.MySQL LDAP插件支持StartTLS方法,该方法在普通LDAP连接之上初始化TLS。
As of MySQL 8.0.14, LDAPS can be used by setting the 从MySQL 8.0.14开始,可以通过设置authentication_ldap_sasl_server_port system variable.authentication_ldap_sasl_server_port系统变量来使用LDAPS。
authentication_ldap_sasl_user_search_attr
--authentication-ldap-sasl-user-search-attr=value | |
authentication_ldap_sasl_user_search_attr | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
uid |
For SASL LDAP authentication, the name of the attribute that specifies user names in LDAP directory entries. 对于SASL LDAP身份验证,在LDAP目录条目中指定用户名的属性的名称。If a user distinguished name is not provided, the authentication plugin searches for the name using this attribute. 如果未提供用户可分辨名称,则身份验证插件将使用此属性搜索该名称。For example, if the 例如,如果authentication_ldap_sasl_user_search_attr value is uid, a search for the user name user1 finds entries with a uid value of user1.authentication_ldap_sasl_user_search_attr值为uid,则搜索用户名user1会找到uid值为user1的条目。
authentication_ldap_simple_auth_method_name
--authentication-ldap-simple-auth-method-name=value | |
authentication_ldap_simple_auth_method_name | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
SIMPLE | |
| Valid Values |
|
For simple LDAP authentication, the authentication method name. Communication between the authentication plugin and the LDAP server occurs according to this authentication method.对于简单的LDAP身份验证,请提供身份验证方法名称。身份验证插件和LDAP服务器之间的通信根据此身份验证方法进行。
For all simple LDAP authentication methods, it is recommended to also set TLS parameters to require that communication with the LDAP server take place over secure connections.对于所有简单的LDAP身份验证方法,建议还设置TLS参数,以要求通过安全连接与LDAP服务器进行通信。
These authentication method values are permitted:允许使用以下身份验证方法值:
SIMPLE: Use simple LDAP authentication. This method uses either one or two LDAP bind operations, depending on whether the MySQL account names an LDAP user distinguished name. :使用简单的LDAP身份验证。此方法使用一个或两个LDAP绑定操作,具体取决于MySQL帐户是否命名LDAP用户可分辨名称。See the description of 请参阅authentication_ldap_simple_bind_root_dn.authentication_ldap_simple_bind_root_dn的说明。
AD-FOREST: A variation on :SIMPLE, such that authentication searches all domains in the Active Directory forest, performing an LDAP bind to each Active Directory domain until the user is found in some domain.SIMPLE的一个变体,这样身份验证会搜索活动目录林中的所有域,对每个活动目录域执行LDAP绑定,直到在某个域中找到用户。
authentication_ldap_simple_bind_base_dn
--authentication-ldap-simple-bind-base-dn=value | |
authentication_ldap_simple_bind_base_dn | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For simple LDAP authentication, the base distinguished name (DN). This variable can be used to limit the scope of searches by anchoring them at a certain location (the “base”) within the search tree.对于简单的LDAP身份验证,使用基本可分辨名称(DN)。此变量可用于通过将搜索锚定在搜索树中的某个位置(“基础”)来限制搜索范围。
Suppose that members of one set of LDAP user entries each have this form:假设一组LDAP用户条目的每个成员都有以下表单:
uid=user_name,ou=People,dc=example,dc=com
And that members of another set of LDAP user entries each have this form:另一组LDAP用户条目的成员均具有以下形式:
uid=user_name,ou=Admin,dc=example,dc=com
Then searches work like this for different base DN values:然后搜索不同的基本DN值:
If the base DN is 如果基本DN为ou=People,dc=example,dc=com: Searches find user entries only in the first set.ou=People,dc=example,dc=com:搜索仅在第一组中查找用户条目。
If the base DN is 如果基本DN为ou=Admin,dc=example,dc=com: Searches find user entries only in the second set.ou=Admin,dc=example,dc=com:搜索仅在第二组中查找用户条目。
If the base DN is 如果基本DN为ou=dc=example,dc=com: Searches find user entries in the first or second set.ou=dc=example,dc=com:搜索在第一组或第二组中查找用户条目。
In general, more specific base DN values result in faster searches because they limit the search scope more.一般来说,更具体的基DN值会导致更快的搜索,因为它们会更多地限制搜索范围。
authentication_ldap_simple_bind_root_dn
--authentication-ldap-simple-bind-root-dn=value | |
authentication_ldap_simple_bind_root_dn | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For simple LDAP authentication, the root distinguished name (DN). This variable is used in conjunction with 对于简单的LDAP身份验证,根可分辨名称(DN)。此变量与authentication_ldap_simple_bind_root_pwd as the credentials for authenticating to the LDAP server for the purpose of performing searches. authentication_ldap_simple_bind_root_pwd结合使用,作为向ldap服务器进行身份验证的凭据,以执行搜索。Authentication uses either one or two LDAP bind operations, depending on whether the MySQL account names an LDAP user DN:身份验证使用一个或两个LDAP绑定操作,具体取决于MySQL帐户是否命名LDAP用户DN:
If the account does not name a user DN: 如果帐户没有命名用户DN:authentication_ldap_simple performs an initial LDAP binding using authentication_ldap_simple_bind_root_dn and authentication_ldap_simple_bind_root_pwd. authentication_ldap_simple使用authentication_ldap_simple_bind_root_dn和authentication_ldap_simple_bind_root_pwd执行初始ldap绑定。(These are both empty by default, so if they are not set, the LDAP server must permit anonymous connections.) (默认情况下,这两个都是空的,因此如果没有设置,LDAP服务器必须允许匿名连接。)The resulting bind LDAP handle is used to search for the user DN, based on the client user name. 生成的绑定LDAP句柄用于根据客户端用户名搜索用户DN。authentication_ldap_simple performs a second bind using the user DN and client-supplied password.authentication_ldap_simple使用用户DN和客户端提供的密码执行第二次绑定。
If the account does name a user DN: The first bind operation is unnecessary in this case. 如果帐户确实命名了用户DN:在这种情况下,第一次绑定操作是不必要的。authentication_ldap_simple performs a single bind using the user DN and client-supplied password. authentication_ldap_simple使用用户DN和客户端提供的密码执行单个绑定。This is faster than if the MySQL account does not specify an LDAP user DN.这比MySQL帐户不指定LDAP用户DN的情况更快。
authentication_ldap_simple_bind_root_pwd
--authentication-ldap-simple-bind-root-pwd=value | |
authentication_ldap_simple_bind_root_pwd | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For simple LDAP authentication, the password for the root distinguished name. This variable is used in conjunction with 对于简单的LDAP身份验证,根可分辨名称的密码。此变量与authentication_ldap_simple_bind_root_dn. authentication_ldap_simple_bind_root_dn结合使用。See the description of that variable.请参阅该变量的描述。
authentication_ldap_simple_ca_path
--authentication-ldap-simple-ca-path=value | |
authentication_ldap_simple_ca_path | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
NULL |
For simple LDAP authentication, the absolute path of the certificate authority file. Specify this file if it is desired that the authentication plugin perform verification of the LDAP server certificate.对于简单的LDAP身份验证,证书颁发机构文件的绝对路径。如果希望身份验证插件执行LDAP服务器证书的验证,请指定此文件。
In addition to setting the 除了将authentication_ldap_simple_ca_path variable to the file name, you must add the appropriate certificate authority certificates to the file and enable the authentication_ldap_simple_tls system variable. authentication_ldap_simple_ca_path变量设置为文件名外,您还必须将适当的证书颁发机构证书添加到文件中,并启用authentication_ldap_simple_tls系统变量。These variables can be set to override the default OpenLDAP TLS configuration; see LDAP Pluggable Authentication and ldap.conf这些变量可以设置为覆盖默认的OpenLDAP TLS配置;请参阅LDAP可插拔身份验证和ldap.conf。
authentication_ldap_simple_group_search_attr
--authentication-ldap-simple-group-search-attr=value | |
authentication_ldap_simple_group_search_attr | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
cn |
For simple LDAP authentication, the name of the attribute that specifies group names in LDAP directory entries. 对于简单的LDAP身份验证,在LDAP目录条目中指定组名的属性的名称。If 如果authentication_ldap_simple_group_search_attr has its default value of cn, searches return the cn value as the group name. authentication_ldap_simple_group_search_attr的默认值为cn,则搜索将返回cn值作为组名。For example, if an LDAP entry with a 例如,如果uid value of user1 has a cn attribute of mygroup, searches for user1 return mygroup as the group name.uid值为user1的LDAP条目具有mygroup的cn属性,则搜索user1会返回mygroup作为组名。
If the group search attribute is 如果组搜索属性为isMemberOf, LDAP authentication directly retrieves the user attribute isMemberOf value and assigns it as group information. isMemberOf,LDAP身份验证将直接检索用户属性isMemberOf值并将其分配为组信息。If the group search attribute is not 如果组搜索属性不是isMemberOf, LDAP authentication searches for all groups where the user is a member. isMemberOf,LDAP身份验证将搜索用户为成员的所有组。(The latter is the default behavior.) (后者是默认行为。)This behavior is based on how LDAP group information can be stored two ways: 1) A group entry can have an attribute named 此行为基于LDAP组信息如何以两种方式存储:1)组条目可以具有名为memberUid or member with a value that is a user name; 2) A user entry can have an attribute named isMemberOf with values that are group names.memberUid的属性或具有用户名值的成员;2)用户条目可以有一个名为isMemberOf的属性,其值为组名。
authentication_ldap_simple_group_search_filter
--authentication-ldap-simple-group-search-filter=value | |
authentication_ldap_simple_group_search_filter | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
(|(&(objectClass=posixGroup)(memberUid=%s))(&(objectClass=group)(member=%s))) |
For simple LDAP authentication, the custom group search filter.对于简单的LDAP身份验证,使用自定义组搜索筛选器。
The search filter value can contain 搜索筛选器值可以包含{UA} and {UD} notation to represent the user name and the full user DN. {UA}和{UD}表示法,以表示用户名和完整用户DN。For example, 例如,{UA} is replaced with a user name such as "admin", whereas {UD} is replaced with a use full DN such as "uid=admin,ou=People,dc=example,dc=com". {UA}被替换为用户名,如"admin",而{UD}则被替换为使用完整DN,如"uid=admin,ou=People,dc=example,dc=com"。The following value is the default, which supports both OpenLDAP and Active Directory:以下值为默认值,同时支持OpenLDAP和活动目录:
(|(&(objectClass=posixGroup)(memberUid={UA}))
(&(objectClass=group)(member={UD})))
In some cases for the user scenario, 在某些用户场景中,memberOf is a simple user attribute that holds no group information. memberOf是一个简单的用户属性,不包含任何组信息。For additional flexibility, an optional 为了增加灵活性,可以在组搜索属性中使用可选的{GA} prefix can be used with the group search attribute. {GA}前缀。Any group attribute with a {GA} prefix is treated as a user attribute having group names. 任何带有{GA}前缀的组属性都被视为具有组名的用户属性。For example, with a value of 例如,如果值为{GA}MemberOf, if the group value is the DN, the first attribute value from the group DN is returned as the group name.{GA}MemberOf,如果组值是DN,则返回组DN中的第一个属性值作为组名。
authentication_ldap_simple_init_pool_size
--authentication-ldap-simple-init-pool-size=# | |
authentication_ldap_simple_init_pool_size | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
10 | |
| Minimum Value | 0 |
| Maximum Value | 32767 |
For simple LDAP authentication, the initial size of the pool of connections to the LDAP server. Choose the value for this variable based on the average number of concurrent authentication requests to the LDAP server.对于简单的LDAP身份验证,指向LDAP服务器的连接池的初始大小。根据对LDAP服务器的并发身份验证请求的平均数量选择此变量的值。
The plugin uses 该插件同时使用authentication_ldap_simple_init_pool_size and authentication_ldap_simple_max_pool_size together for connection-pool management:authentication_ldap_simple_init_pool_size和authentication_ldap_simple_max_pool_size:
When the authentication plugin initializes, it creates 当身份验证插件初始化时,它会创建authentication_ldap_simple_init_pool_size connections, unless authentication_ldap_simple_max_pool_size=0 to disable pooling.authentication_ldap_simple_init_pool_size连接,除非authentication_ldap_simple_max_pool_size=0禁用池。
If the plugin receives an anthentication request when there are no free connections in the current connection pool, the plugin can create a new connection, up to the maximum connection pool size given by 如果插件在当前连接池中没有空闲连接时收到鸣笛请求,则插件可以创建新的连接,最大连接池大小由authentication_ldap_simple_max_pool_size.authentication_ldap_simple_max_pool_size给出。
If the plugin receives a request when the pool size is already at its maximum and there are no free connections, authentication fails.如果插件在池大小已经达到最大值并且没有空闲连接时收到请求,则身份验证失败。
When the plugin unloads, it closes all pooled connections.当插件卸载时,它会关闭所有池连接。
Changes to plugin system variable settings may have no effect on connections already in the pool. 对插件系统变量设置的更改可能不会对池中已有的连接产生影响。For example, modifying the LDAP server host, port, or TLS settings does not affect existing connections. 例如,修改LDAP服务器主机、端口或TLS设置不会影响现有连接。However, if the original variable values were invalid and the connection pool could not be initialized, the plugin attempts to reinitialize the pool for the next LDAP request. 但是,如果原始变量值无效并且无法初始化连接池,则插件会尝试为下一个LDAP请求重新初始化池。In this case, the new system variable values are used for the reinitialization attempt.在这种情况下,新的系统变量值用于重新初始化尝试。
If 如果authentication_ldap_simple_max_pool_size=0 to disable pooling, each LDAP connection opened by the plugin uses the values the system variables have at that time.authentication_ldap_simple_max_pool_size=0以禁用池化,则插件打开的每个ldap连接都使用系统变量当时的值。
authentication_ldap_simple_log_status
--authentication-ldap-simple-log-status=# | |
authentication_ldap_simple_log_status | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
1 | |
| Minimum Value | 1 |
| Maximum Value (≥ 8.0.18) | 6 |
| Maximum Value (≤ 8.0.17) | 5 |
For simple LDAP authentication, the logging level for messages written to the error log. The following table shows the permitted level values and their meanings.对于简单的LDAP身份验证,写入错误日志的消息的日志级别。下表显示了允许的级别值及其含义。
Table 6.25 Log Levels for authentication_ldap_simple_log_statusauthentication_ldap_simple_log_status的日志级别
| Option Value | Types of Messages Logged |
|---|---|
1 | |
2 | |
3 | |
4 | |
5 | |
6 |
Log level 6 is available as of MySQL 8.0.18.MySQL 8.0.18提供日志级别6。
authentication_ldap_simple_max_pool_size
--authentication-ldap-simple-max-pool-size=# | |
authentication_ldap_simple_max_pool_size | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
1000 | |
| Minimum Value | 0 |
| Maximum Value | 32767 |
For simple LDAP authentication, the maximum size of the pool of connections to the LDAP server. To disable connection pooling, set this variable to 0.对于简单的LDAP身份验证,指向LDAP服务器的连接池的最大大小。要禁用连接池,请将此变量设置为0。
This variable is used in conjunction with 此变量与authentication_ldap_simple_init_pool_size. See the description of that variable.authentication_ldap_simple_init_pool_size结合使用。请参阅该变量的描述。
authentication_ldap_simple_referral
--authentication-ldap-simple-referral[={OFF|ON}] | |
| Introduced | 8.0.20 |
authentication_ldap_simple_referral | |
| Global | |
| Yes | |
SET_VAR | No |
| Boolean | |
OFF |
For simple LDAP authentication, whether to enable LDAP search referral. See LDAP Search Referral.对于简单的LDAP身份验证,是否启用LDAP搜索引用。请参阅LDAP搜索引用。
authentication_ldap_simple_server_host
--authentication-ldap-simple-server-host=host_name | |
authentication_ldap_simple_server_host | |
| Global | |
| Yes | |
SET_VAR | No |
| String |
For simple LDAP authentication, the LDAP server host. The permitted values for this variable depend on the authentication method:对于简单的LDAP身份验证,LDAP服务器主机。此变量的允许值取决于身份验证方法:
For 对于authentication_ldap_simple_auth_method_name=SIMPLE: The LDAP server host can be a host name or IP address.authentication_ldap_simple_auth_method_name=SIMPLE:LDAP服务器主机可以是主机名或IP地址。
For 用于authentication_ldap_simple_auth_method_name=AD-FOREST. authentication_ldap_simple_auth_method_name=AD-FOREST。The LDAP server host can be an Active Directory domain name. LDAP服务器主机可以是活动目录域名。For example, for an LDAP server URL of 例如,对于LDAP服务器URLldap://example.mem.local:389, the domain name can be mem.local.ldap://examplememlocal:389,域名可以是mem.local。
An Active Directory forest setup can have multiple domains (LDAP server IPs), which can be discovered using DNS. 活动目录林设置可以有多个域(LDAP服务器IP),可以使用DNS发现这些域。On Unix and Unix-like systems, some additional setup may be required to configure your DNS server with SRV records that specify the LDAP servers for the Active Directory domain. 在Unix和类Unix系统上,可能需要一些额外的设置来配置DNS服务器,以使用SRV记录指定活动目录域的LDAP服务器。For information about DNS SRV, see RFC 2782.有关DNS SRV的信息,请参阅RFC 2782。
Suppose that your configuration has these properties:假设您的配置具有以下属性:
The name server that provides information about Active Directory domains has IP address 提供有关活动目录域信息的名称服务器的IP地址为10.172.166.100.10.172.166.100。
The LDAP servers have names LDAP服务器的名称为ldap1.mem.local through ldap3.mem.local and IP addresses 10.172.166.101 through 10.172.166.103.ldap1.mem.local到ldap3.mem.local,IP地址为10.172.166.101到10.172.166.13。
You want the LDAP servers to be discoverable using SRV searches. For example, at the command line, a command like this should list the LDAP servers:您希望使用SRV搜索可以发现LDAP服务器。例如,在命令行中,这样的命令应该列出LDAP服务器:
host -t SRV _ldap._tcp.mem.local
Perform the DNS configuration as follows:按如下方式执行DNS配置:
Add a line to 在/etc/resolv.conf to specify the name server that provides information about Active Directory domains:/etc/resolv.conf中添加一行,以指定提供有关活动目录域信息的名称服务器:
nameserver 10.172.166.100
Configure the appropriate zone file for the name server with SRV records for the LDAP servers:为名称服务器配置相应的区域文件,并为LDAP服务器配置SRV记录:
_ldap._tcp.mem.local. 86400 IN SRV 0 100 389 ldap1.mem.local. _ldap._tcp.mem.local. 86400 IN SRV 0 100 389 ldap2.mem.local. _ldap._tcp.mem.local. 86400 IN SRV 0 100 389 ldap3.mem.local.
It may also be necessary to specify the IP address for the LDAP servers in 如果无法解析服务器主机,可能还需要在/etc/hosts if the server host cannot be resolved. For example, add lines like this to the file:/etc/hosts中指定LDAP服务器的IP地址。例如,在文件中添加以下行:
10.172.166.101 ldap1.mem.local 10.172.166.102 ldap2.mem.local 10.172.166.103 ldap3.mem.local
With the DNS configured as just described, the server-side LDAP plugin can discover the LDAP servers and tries to authenticate in all domains until authentication succeeds or there are no more servers.通过如上所述配置DNS,服务器端LDAP插件可以发现LDAP服务器,并尝试在所有域中进行身份验证,直到身份验证成功或没有更多服务器为止。
Windows needs no such settings as just described. Given the LDAP server host in the Windows不需要上述设置。给定authentication_ldap_simple_server_host value, the Windows LDAP library searches all domains and attempts to authenticate.authentication_LDAP_simple_server_host值中的LDAP服务器主机,Windows LDAP库将搜索所有域并尝试进行身份验证。
authentication_ldap_simple_server_port
--authentication-ldap-simple-server-port=port_num | |
authentication_ldap_simple_server_port | |
| Global | |
| Yes | |
SET_VAR | No |
| Integer | |
389 | |
| Minimum Value | 1 |
| Maximum Value | 32376 |
For simple LDAP authentication, the LDAP server TCP/IP port number.对于简单的LDAP身份验证,LDAP服务器TCP/IP端口号。
As of MySQL 8.0.14, if the LDAP port number is configured as 636 or 3269, the plugin uses LDAPS (LDAP over SSL) instead of LDAP. (LDAPS differs from 从MySQL 8.0.14开始,如果LDAP端口号配置为636或3269,则该插件使用LDAPS(基于SSL的LDAP)而不是LDAP。(LDAPS不同于startTLS。)startTLS.)
authentication_ldap_simple_tls
--authentication-ldap-simple-tls[={OFF|ON}] | |
authentication_ldap_simple_tls | |
| Global | |
| Yes | |
SET_VAR | No |
| Boolean | |
OFF |
For simple LDAP authentication, whether connections by the plugin to the LDAP server are secure. If this variable is enabled, the plugin uses TLS to connect securely to the LDAP server. 对于简单的LDAP身份验证,插件与LDAP服务器的连接是否安全。如果启用此变量,插件将使用TLS安全地连接到LDAP服务器。This variable can be set to override the default OpenLDAP TLS configuration; see LDAP Pluggable Authentication and ldap.conf If you enable this variable, you may also wish to set the 此变量可以设置为覆盖默认的OpenLDAP TLS配置;请参阅LDAP可插拔身份验证和ldap.conf。如果启用此变量,您可能还希望设置Authentication_LDAP_simple_ca_path变量。authentication_ldap_simple_ca_path variable.
MySQL LDAP plugins support the StartTLS method, which initializes TLS on top of a plain LDAP connection.MySQL LDAP插件支持StartTLS方法,该方法在普通LDAP连接之上初始化TLS。
As of MySQL 8.0.14, LDAPS can be used by setting the 从MySQL 8.0.14开始,可以通过设置authentication_ldap_simple_server_port system variable.authentication_ldap_simple_server_port系统变量来使用LDAPS。
authentication_ldap_simple_user_search_attr
--authentication-ldap-simple-user-search-attr=value | |
authentication_ldap_simple_user_search_attr | |
| Global | |
| Yes | |
SET_VAR | No |
| String | |
uid |
For simple LDAP authentication, the name of the attribute that specifies user names in LDAP directory entries. 对于简单的LDAP身份验证,在LDAP目录条目中指定用户名的属性的名称。If a user distinguished name is not provided, the authentication plugin searches for the name using this attribute. 如果未提供用户可分辨名称,则身份验证插件将使用此属性搜索该名称。For example, if the 例如,如果authentication_ldap_simple_user_search_attr value is uid, a search for the user name user1 finds entries with a uid value of user1.authentication_ldap_simple_user_search_attr值为uid,则搜索用户名user1会找到uid值为user1的条目。