Chapter 6 Security

6.4.1.7 LDAP Pluggable AuthenticationLDAP可插拔身份验证

~~Note~~注意

~~LDAP pluggable authentication is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.~~LDAP可插拔身份验证是商业产品MySQL Enterprise Edition中包含的一个扩展。要了解有关商业产品的更多信息，请参阅https://www.mysql.com/products/。

MySQL Enterprise Edition supports an authentication method that enables MySQL Server to use LDAP (Lightweight Directory Access Protocol) to authenticate MySQL users by accessing directory services such as X.500. MySQL uses LDAP to fetch user, credential, and group information.MySQL企业版支持一种身份验证方法，使MySQL服务器能够使用LDAP（轻量级目录访问协议）通过访问X.500等目录服务对MySQL用户进行身份验证。MySQL使用LDAP获取用户、凭据和组信息。

~~LDAP pluggable authentication provides these capabilities:~~LDAP可插拔身份验证提供了以下功能：

~~External authentication: LDAP authentication enables MySQL Server to accept connections from users defined outside the MySQL grant tables in LDAP directories.~~外部身份验证：LDAP身份验证使MySQL服务器能够接受来自LDAP目录中MySQL授权表外部定义的用户的连接。
~~Proxy user support: LDAP authentication can return to MySQL a user name different from the external user name passed by the client program, based on the LDAP groups the external user is a member of.~~ 代理用户支持：LDAP身份验证可以根据外部用户所属的LDAP组向MySQL返回与客户端程序传递的外部用户名不同的用户名。~~This means that an LDAP plugin can return the MySQL user that defines the privileges the external LDAP-authenticated user should have.~~ 这意味着LDAP插件可以返回MySQL用户，该用户定义了外部LDAP身份验证用户应具有的权限。~~For example, an LDAP user named joe can connect and have the privileges of a MySQL user named developer, if the LDAP group for joe is developer.~~例如，如果joe的LDAP组是developer，则名为joe的LDAP用户可以连接并拥有名为developer的MySQL用户的权限。
~~Security: Using TLS, connections to the LDAP server can be secure.~~安全性：使用TLS，与LDAP服务器的连接可以是安全的。

~~The following tables show the plugin and library file names for simple and SASL-based LDAP authentication.~~ 下表显示了简单和基于SASL的LDAP身份验证的插件和库文件名。~~The file name suffix might differ on your system. The files must be located in the directory named by the plugin_dir system variable.~~文件名后缀可能因系统而异。文件必须位于plugin_dir系统变量命名的目录中。

Table 6.18 ~~Plugin and Library Names for Simple LDAP Authentication~~用于简单LDAP身份验证的插件和库名称

~~Plugin or File~~插件或文件	~~Plugin or File Name~~插件或文件名
~~Server-side plugin name~~服务器端插件名称	`authentication_ldap_simple`
~~Client-side plugin name~~客户端插件名称	`mysql_clear_password`
~~Library file name~~库文件名	`authentication_ldap_simple.so`

Table 6.19 ~~Plugin and Library Names for SASL-Based LDAP Authentication~~基于SASL的LDAP身份验证的插件和库名称

~~Plugin or File~~插件或文件	~~Plugin or File Name~~插件或文件名
~~Server-side plugin name~~服务器端插件名称	`authentication_ldap_sasl`
~~Client-side plugin name~~客户端插件名称	`authentication_ldap_sasl_client`
~~Library file names~~库文件名	`authentication_ldap_sasl.so`, `authentication_ldap_sasl_client.so`

~~The library files include only the authentication_ldap_XXX authentication plugins.~~ 库文件仅包含authentication_ldap_XXX身份验证插件。~~The client-side mysql_clear_password plugin is built into the libmysqlclient client library.~~客户端mysql_clear_password插件内置于libmysqlclient客户端库中。

~~Each server-side LDAP plugin works with a specific client-side plugin:~~每个服务器端LDAP插件都与特定的客户端插件一起工作：

~~The server-side authentication_ldap_simple plugin performs simple LDAP authentication.~~ 服务器端authentication_ldap_simple插件执行简单的ldap身份验证。~~For connections by accounts that use this plugin, client programs use the client-side mysql_clear_password plugin, which sends the password to the server as cleartext.~~ 对于使用此插件的帐户的连接，客户端程序使用客户端mysql_clear_password插件，该插件将密码以明文形式发送到服务器。~~No password hashing or encryption is used, so a secure connection between the MySQL client and server is recommended to prevent password exposure.~~不使用密码哈希或加密，因此建议MySQL客户端和服务器之间建立安全连接，以防止密码泄露。
~~The server-side authentication_ldap_sasl plugin performs SASL-based LDAP authentication.~~ 服务器端authentication_ldap_sasl插件执行基于sasl的ldap身份验证。~~For connections by accounts that use this plugin, client programs use the client-side authentication_ldap_sasl_client plugin.~~ 对于使用此插件的帐户的连接，客户端程序使用客户端authentication_ldap_sasl_client插件。The client-side and server-side SASL LDAP plugins use SASL messages for secure transmission of credentials within the LDAP protocol, to avoid sending the cleartext password between the MySQL client and server.客户端和服务器端的SASL LDAP插件使用SASL消息在LDAP协议中安全传输凭据，以避免在MySQL客户端和服务器之间发送明文密码。

~~The following sections provide installation and usage information specific to LDAP pluggable authentication:~~以下部分提供了特定于LDAP可插拔身份验证的安装和使用信息：

~~For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”.~~ 有关MySQL中可插拔身份验证的一般信息，请参阅第6.2.17节，“可插拔身份认证”。~~For information about the mysql_clear_password plugin, see Section 6.4.1.4, “Client-Side Cleartext Pluggable Authentication”. For proxy user information, see Section 6.2.18, “Proxy Users”.~~有关mysql_clear_password插件的信息，请参阅第6.4.1.4节，“客户端明文可插拔身份验证”。有关代理用户信息，请参阅第6.2.18节，“代理用户”。

~~Note~~注意

If your system supports PAM and permits LDAP as a PAM authentication method, another way to use LDAP for MySQL user authentication is to use the server-side authentication_pam plugin. See Section 6.4.1.5, “PAM Pluggable Authentication”.如果您的系统支持PAM并允许LDAP作为PAM身份验证方法，则使用LDAP进行MySQL用户身份验证的另一种方法是使用服务器端authentication_pam插件。参阅第6.4.1.5节，“PAM可插拔身份验证”。

Prerequisites for LDAP Pluggable AuthenticationLDAP可插拔身份验证的先决条件

~~To use LDAP pluggable authentication for MySQL, these prerequisites must be satisfied:~~要对MySQL使用LDAP可插拔身份验证，必须满足以下先决条件：

~~An LDAP server must be available for the LDAP authentication plugins to communicate with.~~LDAP服务器必须可供LDAP身份验证插件与之通信。
~~LDAP users to be authenticated by MySQL must be present in the directory managed by the LDAP server.~~要由MySQL进行身份验证的LDAP用户必须存在于LDAP服务器管理的目录中。
~~An LDAP client library must be available on systems where the server-side authentication_ldap_sasl or authentication_ldap_simple plugin is used.~~ LDAP客户端库必须在使用服务器端authentication_ldap_sasl或authentication_ldap_simple插件的系统上可用。~~Currently, supported libraries are the Windows native LDAP library, or the OpenLDAP library on non-Windows systems.~~目前，支持的库是Windows本机LDAP库，或非Windows系统上的OpenLDAP库。
~~To use SASL-based LDAP authentication:~~要使用基于SASL的LDAP身份验证，请执行以下操作：
- ~~The LDAP server must be configured to communicate with a SASL server.~~LDAP服务器必须配置为与SASL服务器通信。
- ~~A SASL client library must be available on systems where the client-side authentication_ldap_sasl_client plugin is used. Currently, the only supported library is the Cyrus SASL library.~~SASL客户端库必须在使用客户端authentication_ldap_sasl_client插件的系统上可用。目前，唯一支持的库是Cyrus SASL库。
- To use a particular SASL authentication method, any other services required by that method must be available. For example, to use GSSAPI/Kerberos, a GSSAPI library and Kerberos services must be available.要使用特定的SASL身份验证方法，该方法所需的任何其他服务都必须可用。例如，要使用GSSAPI/Kerberos，必须提供GSSAPI库和Kerberos服务。

How LDAP Authentication of MySQL Users WorksMySQL用户的LDAP身份验证工作原理

This section provides a general overview of how MySQL and LDAP work together to authenticate MySQL users. For examples showing how to set up MySQL accounts to use specific LDAP authentication plugins, see Using LDAP Pluggable Authentication. 本节概述了MySQL和LDAP如何协同工作以对MySQL用户进行身份验证。有关如何设置MySQL帐户以使用特定LDAP身份验证插件的示例，请参阅使用LDAP可插拔身份验证。~~For information about authentication methods available to the LDAP plugins, see LDAP Authentication Methods.~~有关LDAP插件可用的身份验证方法的信息，请参阅LDAP身份验证方法。

~~The client connects to the MySQL server, providing the MySQL client user name and a password:~~客户端连接到MySQL服务器，提供MySQL客户端用户名和密码：

For simple LDAP authentication, the client-side and server-side plugins communicate the password as cleartext. A secure connection between the MySQL client and server is recommended to prevent password exposure.对于简单的LDAP身份验证，客户端和服务器端插件以明文形式传递密码。建议MySQL客户端和服务器之间建立安全连接，以防止密码泄露。
For SASL-based LDAP authentication, the client-side and server-side plugins avoid sending the cleartext password between the MySQL client and server. For example, the plugins might use SASL messages for secure transmission of credentials within the LDAP protocol. 对于基于SASL的LDAP身份验证，客户端和服务器端插件避免在MySQL客户端和服务器之间发送明文密码。例如，插件可能会使用SASL消息在LDAP协议中安全传输凭据。~~For the GSSAPI authentication method, the client-side and server-side plugins communicate securely using Kerberos without using LDAP messages directly.~~对于GSSAPI身份验证方法，客户端和服务器端插件使用Kerberos进行安全通信，而无需直接使用LDAP消息。

~~If the client user name and host name match no MySQL account, the connection is rejected.~~如果客户端用户名和主机名与MySQL帐户不匹配，则拒绝连接。

~~If there is a matching MySQL account, authentication against LDAP occurs. The LDAP server looks for an entry matching the user and authenticates the entry against the LDAP password:~~如果有匹配的MySQL帐户，则会进行LDAP身份验证。LDAP服务器查找与用户匹配的条目，并根据LDAP密码对条目进行身份验证：

~~If the MySQL account names an LDAP user distinguished name (DN), LDAP authentication uses that value and the LDAP password provided by the client.~~ 如果MySQL帐户命名了LDAP用户可分辨名称（DN），LDAP身份验证将使用该值和客户端提供的LDAP密码。~~(To associate an LDAP user DN with a MySQL account, include a BY clause that specifies an authentication string in the CREATE USER statement that creates the account.)~~（要将LDAP用户DN与MySQL帐户相关联，请在创建帐户的CREATE USER语句中包含一个BY子句，该子句指定身份验证字符串。）
~~If the MySQL account names no LDAP user DN, LDAP authentication uses the user name and LDAP password provided by the client.~~ 如果MySQL帐户没有LDAP用户DN，LDAP身份验证将使用客户端提供的用户名和LDAP密码。In this case, the authentication plugin first binds to the LDAP server using the root DN and password as credentials to find the user DN based on the client user name, then authenticates that user DN against the LDAP password. 在这种情况下，身份验证插件首先使用根DN和密码作为凭据绑定到LDAP服务器，以根据客户端用户名查找用户DN，然后根据LDAP密码对该用户DN进行身份验证。~~This bind using the root credentials fails if the root DN and password are set to incorrect values, or are empty (not set) and the LDAP server does not permit anonymous connections.~~如果根DN和密码设置为不正确的值，或者为空（未设置）并且LDAP服务器不允许匿名连接，则使用根凭据的绑定失败。

~~If the LDAP server finds no match or multiple matches, authentication fails and the client connection is rejected.~~如果LDAP服务器没有找到匹配项或找到多个匹配项，则身份验证失败，客户端连接被拒绝。

If the LDAP server finds a single match, LDAP authentication succeeds (assuming that the password is correct), the LDAP server returns the LDAP entry, and the authentication plugin determines the name of the authenticated user based on that entry:如果LDAP服务器找到一个匹配项，LDAP身份验证成功（假设密码正确），LDAP服务器返回LDAP条目，身份验证插件根据该条目确定经过身份验证的用户的名称：

~~If the LDAP entry has a group attribute (by default, the cn attribute), the plugin returns its value as the authenticated user name.~~如果LDAP条目具有group属性（默认情况下为cn属性），则插件将其值作为经过身份验证的用户名返回。
~~If the LDAP entry has no group attribute, the authentication plugin returns the client user name as the authenticated user name.~~如果LDAP条目没有组属性，则身份验证插件将客户端用户名作为经过身份验证的用户名返回。

~~The MySQL server compares the client user name with the authenticated user name to determine whether proxying occurs for the client session:~~MySQL服务器将客户端用户名与经过身份验证的用户名进行比较，以确定客户端会话是否发生代理：

~~If the names are the same, no proxying occurs: The MySQL account matching the client user name is used for privilege checking.~~如果名称相同，则不会发生代理：与客户端用户名匹配的MySQL帐户用于权限检查。
If the names differ, proxying occurs: MySQL looks for an account matching the authenticated user name. That account becomes the proxied user, which is used for privilege checking. The MySQL account that matched the client user name is treated as the external proxy user.如果名称不同，则会发生代理：MySQL会查找与经过身份验证的用户名匹配的帐户。该帐户将成为代理用户，用于权限检查。与客户端用户名匹配的MySQL帐户被视为外部代理用户。

Installing LDAP Pluggable Authentication安装LDAP可插拔身份验证

~~This section describes how to install the LDAP authentication plugins. For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.~~本节介绍如何安装LDAP身份验证插件。有关安装插件的一般信息，请参阅第5.6.1节，“安装和卸载插件”。

~~To be usable by the server, the plugin library files must be located in the MySQL plugin directory (the directory named by the plugin_dir system variable).~~ 为了让服务器使用，插件库文件必须位于MySQL插件目录（由plugin_dir系统变量命名的目录）中。~~If necessary, configure the plugin directory location by setting the value of plugin_dir at server startup.~~如有必要，在服务器启动时通过设置plugin_dir的值来配置插件目录位置。

The server-side plugin library file base names are authentication_ldap_simple and authentication_ldap_sasl. The file name suffix differs per platform (for example, .so for Unix and Unix-like systems, .dll for Windows).服务器端插件库文件库名为authentication_ldap_simple和authentication_ldap_sasl。文件名后缀因平台而异（例如，用于Unix和类Unix系统的.so，用于Windows的.dll）。

To load the plugins at server startup, use --plugin-load-add options to name the library files that contain them. With this plugin-loading method, the options must be given each time the server starts. 要在服务器启动时加载插件，请使用--plugin-load-add选项来命名包含它们的库文件。使用此插件加载方法，每次服务器启动时都必须给出选项。~~Also, specify values for any plugin-provided system variables you wish to configure.~~此外，为您要配置的任何插件提供的系统变量指定值。

Each server-side LDAP plugin exposes a set of system variables that enable its operation to be configured. Setting most of these is optional, but you must set the variables that specify the LDAP server host (so the plugin knows where to connect) and base distinguished name for LDAP bind operations (to limit the scope of searches and obtain faster searches). 每个服务器端LDAP插件都公开了一组系统变量，使其操作能够被配置。设置其中大部分是可选的，但您必须设置指定LDAP服务器主机（以便插件知道连接的位置）和LDAP绑定操作的基本可分辨名称（以限制搜索范围并获得更快的搜索）的变量。~~For details about all LDAP system variables, see Section 6.4.1.11, “Pluggable Authentication System Variables”.~~有关所有LDAP系统变量的详细信息，请参阅第6.4.1.11节，“可插拔身份验证系统变量”。

To load the plugins and set the LDAP server host and base distinguished name for LDAP bind operations, put lines such as these in your my.cnf file, adjusting the .so suffix for your platform as necessary:要加载插件并为LDAP绑定操作设置LDAP服务器主机和基本可分辨名称，请在mycnf文件中放入以下行，根据需要调整平台的.so后缀：

[mysqld]
plugin-load-add=authentication_ldap_simple.so
authentication_ldap_simple_server_host=127.0.0.1
authentication_ldap_simple_bind_base_dn="dc=example,dc=com"
plugin-load-add=authentication_ldap_sasl.so
authentication_ldap_sasl_server_host=127.0.0.1
authentication_ldap_sasl_bind_base_dn="dc=example,dc=com"

~~After modifying my.cnf, restart the server to cause the new settings to take effect.~~修改my.cnf后，重新启动服务器以使新设置生效。

~~Alternatively, to load the plugins at runtime, use these statements, adjusting the .so suffix for your platform as necessary:~~或者，要在运行时加载插件，请使用以下语句，根据需要调整您的平台的.so后缀：

INSTALL PLUGIN authentication_ldap_simple
  SONAME 'authentication_ldap_simple.so';
INSTALL PLUGIN authentication_ldap_sasl
  SONAME 'authentication_ldap_sasl.so';

INSTALL PLUGIN loads the plugin immediately, and also registers it in the mysql.plugins system table to cause the server to load it for each subsequent normal startup without the need for --plugin-load-add.INSTALL PLUGIN会立即加载插件，并将其注册到mysql.plugins系统表中，以便服务器在每次后续正常启动时加载它，而不需要--plugin-load-add。

~~After installing the plugins at runtime, their system variables become available and you can add settings for them to your my.cnf file to configure the plugins for subsequent restarts. For example:~~在运行时安装插件后，它们的系统变量变为可用，您可以将它们的设置添加到my.cnf文件中，以配置插件以便后续重新启动。例如：

[mysqld]
authentication_ldap_simple_server_host=127.0.0.1
authentication_ldap_simple_bind_base_dn="dc=example,dc=com"
authentication_ldap_sasl_server_host=127.0.0.1
authentication_ldap_sasl_bind_base_dn="dc=example,dc=com"

~~After modifying my.cnf, restart the server to cause the new settings to take effect.~~修改my.cnf后，重新启动服务器以使新设置生效。

~~Alternatively, to set and persist the values at runtime, use these statements:~~或者，要在运行时设置和持久化这些值，请使用以下语句：

SET PERSIST authentication_ldap_simple_server_host='127.0.0.1';
SET PERSIST authentication_ldap_simple_bind_base_dn='dc=example,dc=com';
SET PERSIST authentication_ldap_sasl_server_host='127.0.0.1';
SET PERSIST authentication_ldap_sasl_bind_base_dn='dc=example,dc=com';

~~SET PERSIST sets the value for the running MySQL instance. It also saves the value, causing it to carry over to subsequent server restarts.~~ SET PERSIST设置正在运行的MySQL实例的值。它还保存了该值，使其延续到后续的服务器重启。~~To change a value for the running MySQL instance without having it carry over to subsequent restarts, use the GLOBAL keyword rather than PERSIST.~~ 要更改正在运行的MySQL实例的值而不将其转移到后续重新启动，请使用GLOBAL关键字而不是PERSIST。~~See Section 13.7.6.1, “SET Syntax for Variable Assignment”.~~请参阅第13.7.6.1节，“变量赋值的SET语法”。

~~To verify plugin installation, examine the INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:~~要验证插件安装，请检查INFORMATION_SCHEMALUGINS表或使用SHOW PLUGINS语句（请参阅第5.6.2节，“获取服务器插件信息”）。例如：

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE '%ldap%';
+----------------------------+---------------+
| PLUGIN_NAME                | PLUGIN_STATUS |
+----------------------------+---------------+
| authentication_ldap_sasl   | ACTIVE        |
| authentication_ldap_simple | ACTIVE        |
+----------------------------+---------------+

~~If a plugin fails to initialize, check the server error log for diagnostic messages.~~如果插件初始化失败，请检查服务器错误日志中的诊断消息。

~~To associate MySQL accounts with an LDAP plugin, see Using LDAP Pluggable Authentication.~~要将MySQL帐户与LDAP插件相关联，请参阅使用LDAP可插拔身份验证。

Additional Notes for SELinux

~~On systems running EL6 or EL that have SELinux enabled, changes to the SELinux policy are required to enable the MySQL LDAP plugins to communicate with the LDAP service:~~在运行EL6或EL且启用了SELinux的系统上，需要更改SELinux策略，以使MySQL LDAP插件能够与LDAP服务通信：

~~Create a file mysqlldap.te with these contents:~~使用以下内容创建一个文件mysqlldap.te：

module mysqlldap 1.0;

require {
        type ldap_port_t;
        type mysqld_t;
        class tcp_socket name_connect;
}

#============= mysqld_t ==============

allow mysqld_t ldap_port_t:tcp_socket name_connect;

~~Compile the security policy module into a binary representation:~~将安全策略模块编译为二进制表示：
```
checkmodule -M -m mysqlldap.te -o mysqlldap.mod
```
~~Create an SELinux policy module package:~~创建SELinux策略模块包：
```
semodule_package -m mysqlldap.mod  -o mysqlldap.pp
```
~~Install the module package:~~安装模块包：
```
semodule -i mysqlldap.pp
```
~~When the SELinux policy changes have been made, restart the MySQL server:~~当SELinux策略更改后，重新启动MySQL服务器：
```
service mysqld restart
```

Uninstalling LDAP Pluggable Authentication卸载LDAP可插拔身份验证

~~The method used to uninstall the LDAP authentication plugins depends on how you installed them:~~用于卸载LDAP身份验证插件的方法取决于您的安装方式：

~~If you installed the plugins at server startup using --plugin-load-add options, restart the server without those options.~~如果您在服务器启动时使用--plugin-load-add选项安装了插件，请在没有这些选项的情况下重新启动服务器。
~~If you installed the plugins at runtime using INSTALL PLUGIN, they remain installed across server restarts. To uninstall them, use UNINSTALL PLUGIN:~~如果您在运行时使用INSTALL PLUGIN安装了插件，则它们在服务器重新启动时仍会安装。要卸载它们，请使用UNINSTALL PLUGIN：
```
UNINSTALL PLUGIN authentication_ldap_simple;
UNINSTALL PLUGIN authentication_ldap_sasl;
```

~~In addition, remove from your my.cnf file any startup options that set LDAP plugin-related system variables.~~ 此外，从my.cnf文件中删除任何设置LDAP插件相关系统变量的启动选项。~~If you used SET PERSIST to persist LDAP system variables, use RESET PERSIST to remove the settings.~~如果使用SET PERSIST持久化LDAP系统变量，请使用RESET PERSIST删除设置。

LDAP Pluggable Authentication and ldap.confLDAP可插拔身份验证和ldap.conf

~~For installations that use OpenLDAP, the ldap.conf file provides global defaults for LDAP clients.~~ 对于使用OpenLDAP的安装，ldap.conf文件为LDAP客户端提供了全局默认值。~~Options can be set in this file to affect LDAP clients, including the LDAP authentication plugins. OpenLDAP uses configuration options in this order of precedence:~~可以在此文件中设置选项以影响LDAP客户端，包括LDAP身份验证插件。OpenLDAP按以下优先级顺序使用配置选项：

~~Configuration specified by the LDAP client.~~LDAP客户端指定的配置。
~~Configuration specified in the ldap.conf file. To disable use of this file, set the LDAPNOINIT environment variable.~~ldap.conf文件中指定的配置。要禁用此文件，请设置LDAPNOINIT环境变量。
OpenLDAP library built-in defaults.

~~If the library defaults or ldap.conf values do not yield appropriate option values, an LDAP authentication plugin may be able to set related variables to affect the LDAP configuration directly.~~ 如果库默认值或ldap.conf值没有产生适当的选项值，LDAP身份验证插件可能能够设置相关变量来直接影响LDAP配置。~~For example, LDAP plugins can override ldap.conf for parameters such as these:~~例如，LDAP插件可以覆盖ldap.conf的以下参数：

TLS configuration: System variables are available to enable TLS and control CA configuration, such as authentication_ldap_simple_tls and authentication_ldap_simple_ca_path for simple LDAP authentication, and authentication_ldap_sasl_tls and authentication_ldap_sasl_ca_path for SASL LDAP authentication.TLS配置：系统变量可用于启用TLS和控制CA配置，例如用于简单ldap身份验证的authentication_ldap_simple_tls和authentication_ldap_simple_ca_path，以及用于SASL LDAP认证的authentication_ldap_sasl_tls和authentication_ldap_sasl_ca_path。
~~LDAP referral. See LDAP Search Referral.~~LDAP引用。请参阅LDAP搜索引用。

~~For more information about ldap.conf consult the ldap.conf(5) man page.~~有关ldap.conf的更多信息，请参阅ldap.conf(5)手册页。

Using LDAP Pluggable Authentication使用LDAP可插拔身份验证

~~This section describes how to enable MySQL accounts to connect to the MySQL server using LDAP pluggable authentication.~~ 本节介绍如何使用LDAP可插拔身份验证使MySQL帐户连接到MySQL服务器。It is assumed that the server is running with the appropriate server-side plugins enabled, as described in Installing LDAP Pluggable Authentication, and that the appropriate client-side plugins are available on the client host.假设服务器在启用了适当的服务器端插件的情况下运行，如安装LDAP可插拔身份验证中所述，并且客户端主机上有适当的客户端插件可用。

~~This section does not describe LDAP configuration or administration. You are assumed to be familiar with those topics.~~本节不描述LDAP配置或管理。假设您熟悉这些主题。

~~The two server-side LDAP plugins each work with a specific client-side plugin:~~两个服务器端LDAP插件各自与一个特定的客户端插件配合使用：

~~The server-side authentication_ldap_simple plugin performs simple LDAP authentication.~~ 服务器端authentication_ldap_simple插件执行简单的ldap身份验证。~~For connections by accounts that use this plugin, client programs use the client-side mysql_clear_password plugin, which sends the password to the server as cleartext.~~ 对于使用此插件的帐户的连接，客户端程序使用客户端mysql_clear_password插件，该插件将密码以明文形式发送到服务器。~~No password hashing or encryption is used, so a secure connection between the MySQL client and server is recommended to prevent password exposure.~~不使用密码哈希或加密，因此建议MySQL客户端和服务器之间建立安全连接，以防止密码泄露。
~~The server-side authentication_ldap_sasl plugin performs SASL-based LDAP authentication.~~ 服务器端authentication_ldap_sasl插件执行基于sasl的ldap身份验证。~~For connections by accounts that use this plugin, client programs use the client-side authentication_ldap_sasl_client plugin.~~ 对于使用此插件的帐户的连接，客户端程序使用客户端authentication_ldap_sasl_client插件。The client-side and server-side SASL LDAP plugins use SASL messages for secure transmission of credentials within the LDAP protocol, to avoid sending the cleartext password between the MySQL client and server.客户端和服务器端的SASL LDAP插件使用SASL消息在LDAP协议中安全传输凭据，以避免在MySQL客户端和服务器之间发送明文密码。

~~Overall requirements for LDAP authentication of MySQL users:~~MySQL用户LDAP身份验证的总体要求：

~~There must be an LDAP directory entry for each user to be authenticated.~~每个要进行身份验证的用户都必须有一个LDAP目录条目。
~~There must be a MySQL user account that specifies a server-side LDAP authentication plugin and optionally names the associated LDAP user distinguished name (DN).~~ 必须有一个MySQL用户帐户，指定服务器端LDAP身份验证插件，并可选择命名相关的LDAP用户可分辨名称（DN）。~~(To associate an LDAP user DN with a MySQL account, include a BY clause in the CREATE USER statement that creates the account.)~~ （要将LDAP用户DN与MySQL帐户相关联，请在创建帐户的CREATE USER语句中包含BY子句。）~~If an account names no LDAP string, LDAP authentication uses the user name specified by the client to find the LDAP entry.~~如果帐户名称没有LDAP字符串，LDAP身份验证将使用客户端指定的用户名来查找LDAP条目。
~~Client programs connect using the connection method appropriate for the server-side authentication plugin the MySQL account uses.~~ 客户端程序使用适合MySQL帐户使用的服务器端身份验证插件的连接方法进行连接。~~For LDAP authentication, connections require the MySQL user name and LDAP password.~~ 对于LDAP身份验证，连接需要MySQL用户名和LDAP密码。In addition, for accounts that use the server-side authentication_ldap_simple plugin, invoke client programs with the --enable-cleartext-plugin option to enable the client-side mysql_clear_password plugin.此外，对于使用服务器端authentication_ldap_simple插件的帐户，使用--enable-cleartext-plugin选项调用客户端程序以启用客户端mysql_clear_password插件。

~~The instructions here assume the following scenario:~~这里的说明假设了以下情况：

~~MySQL users betsy and boris authenticate to the LDAP entries for betsy_ldap and boris_ldap, respectively.~~ MySQL用户betsy和boris分别对betsy_LDAP和betsy_ldap的LDAP条目进行身份验证。~~(It is not necessary that the MySQL and LDAP user names differ. The use of different names in this discussion helps clarify whether an operation context is MySQL or LDAP.)~~（MySQL和LDAP用户名不一定不同。在本讨论中使用不同的名称有助于澄清操作上下文是MySQL还是LDAP。）
~~LDAP entries use the uid attribute to specify user names. This may vary depending on LDAP server. Some LDAP servers use the cn attribute for user names rather than uid.~~ LDAP条目使用uid属性指定用户名。这可能因LDAP服务器而异。一些LDAP服务器使用cn属性作为用户名，而不是uid。~~To change the attribute, modify the authentication_ldap_simple_user_search_attr or authentication_ldap_sasl_user_search_attr system variable appropriately.~~要更改该属性，请适当修改authentication_ldap_simple_user_search_attr或authentication_ldap_sasl_user_search_attr系统变量。
~~These LDAP entries are available in the directory managed by the LDAP server, to provide distinguished name values that uniquely identify each user:~~这些LDAP条目在LDAP服务器管理的目录中可用，以提供唯一标识每个用户的可分辨名称值：
```
uid=betsy_ldap,ou=People,dc=example,dc=com
uid=boris_ldap,ou=People,dc=example,dc=com
```
~~CREATE USER statements that create MySQL accounts name an LDAP user in the BY clause, to indicate which LDAP entry the MySQL account authenticates against.~~创建MySQL帐户的CREATE USER语句在BY子句中命名LDAP用户，以指示MySQL帐户对哪个LDAP条目进行身份验证。

~~The instructions for setting up an account that uses LDAP authentication depend on which server-side LDAP plugin is used. The following sections describe several usage scenarios.~~设置使用LDAP身份验证的帐户的说明取决于使用的服务器端LDAP插件。以下部分描述了几个使用场景。

Simple LDAP Authentication简单LDAP身份验证

~~To configure a MySQL account for simple LDAP authentication, the CREATE USER statement specifies the authentication_ldap_simple plugin, and optionally names the LDAP user distinguished name (DN):~~要配置MySQL帐户进行简单的LDAP身份验证，CREATE USER语句指定authentication_LDAP_simple插件，并可选择命名LDAP用户可分辨名称（DN）：

CREATE USER user
  IDENTIFIED WITH authentication_ldap_simple
  [BY 'LDAP user DN'];

~~Suppose that MySQL user betsy has this entry in the LDAP directory:~~假设MySQL用户betsy在LDAP目录中有以下条目：

uid=betsy_ldap,ou=People,dc=example,dc=com

~~Then the statement to create the MySQL account for betsy looks like this:~~然后，为betsy创建MySQL帐户的语句如下：

CREATE USER 'betsy'@'localhost'
  IDENTIFIED WITH authentication_ldap_simple
  AS 'uid=betsy_ldap,ou=People,dc=example,dc=com';

~~The authentication string specified in the BY clause does not include the LDAP password. That must be provided by the client user at connect time.~~BY子句中指定的身份验证字符串不包括LDAP密码。这必须由客户端用户在连接时提供。

~~Clients connect to the MySQL server by providing the MySQL user name and LDAP password, and by enabling the client-side mysql_clear_password plugin:~~客户端通过提供MySQL用户名和LDAP密码，并启用客户端mysql_clear_password插件连接到MySQL服务器：

shell> mysql --user=betsy --password --enable-cleartext-plugin
Enter password: betsy_password (betsy_ldap LDAP password)

~~Note~~注意

~~The client-side mysql_clear_password authentication plugin leaves the password untouched, so client programs send it to the MySQL server as cleartext.~~ 客户端mysql_clear_password身份验证插件保持密码不变，因此客户端程序将其作为明文发送到mysql服务器。This enables the password to be passed as is to the LDAP server. A cleartext password is necessary to use the server-side LDAP library without SASL, but may be a security problem in some configurations. These measures minimize the risk:这使得密码可以按原样传递给LDAP服务器。在没有SASL的情况下使用服务器端LDAP库需要明文密码，但在某些配置中可能存在安全问题。这些措施将风险降至最低：

~~To make inadvertent use of the mysql_clear_password plugin less likely, MySQL clients must explicitly enable it (for example, with the --enable-cleartext-plugin option).~~ 为了减少无意中使用mysql_clear_password插件的可能性，mysql客户端必须显式启用它（例如，使用--enable-cleartext-plugin选项）。~~See Section 6.4.1.4, “Client-Side Cleartext Pluggable Authentication”.~~请参阅第6.4.1.4节，“客户端明文可插拔身份验证”。
To avoid password exposure with the mysql_clear_password plugin enabled, MySQL clients should connect to the MySQL server using an encrypted connection. See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.为了避免在启用mysql_clear_password插件的情况下暴露密码，mysql客户端应使用加密连接连接到mysql服务器。请参阅第6.3.1节，“配置MySQL以使用加密连接”。

~~The authentication process occurs as follows:~~身份验证过程如下：

~~The client-side plugin sends betsy and betsy_password as the client user name and LDAP password to the MySQL server.~~客户端插件将betsy和betsy_password作为客户端用户名和LDAP密码发送到MySQL服务器。
~~The connection attempt matches the 'betsy'@'localhost' account.~~ 连接尝试与'betsy'@'localhost'帐户匹配。The server-side LDAP plugin finds that this account has an authentication string of 'uid=betsy_ldap,ou=People,dc=example,dc=com' to name the LDAP user DN. The plugin sends this string and the LDAP password to the LDAP server.服务器端LDAP插件发现此帐户的身份验证字符串为'uid=betsy_ldap,ou=People,dc=example,dc=com'，用于命名LDAP用户DN。插件将此字符串和LDAP密码发送到LDAP服务器。
~~The LDAP server finds the LDAP entry for betsy_ldap and the password matches, so LDAP authentication succeeds.~~LDAP服务器找到betsy_ldap的LDAP条目，并且密码匹配，因此LDAP身份验证成功。
~~The LDAP entry has no group attribute, so the server-side plugin returns the client user name (betsy) as the authenticated user.~~ LDAP条目没有group属性，因此服务器端插件返回客户端用户名（betsy）作为经过身份验证的用户。~~This is the same user name supplied by the client, so no proxying occurs and the client session uses the 'betsy'@'localhost' account for privilege checking.~~这与客户端提供的用户名相同，因此不会发生代理，客户端会话使用'betsy'@'localhost'帐户进行权限检查。

~~Had the matching LDAP entry contained a group attribute, that attribute value would have been the authenticated user name and, if the value differed from betsy, proxying would have occurred.~~ 如果匹配的LDAP条目包含组属性，则该属性值将是经过身份验证的用户名，如果该值与betsy不同，则会发生代理。~~For examples that use the group attribute, see LDAP Authentication with Proxying.~~有关使用组属性的示例，请参阅LDAP代理身份验证。

Had the CREATE USER statement contained no BY clause to specify the betsy_ldap LDAP distinguished name, authentication attempts would use the user name provided by the client (in this case, betsy). 如果CREATE USER语句不包含用于指定betsy_ldap LDAP可分辨名称的BY子句，则身份验证尝试将使用客户端提供的用户名（在本例中为betsy）。~~In the absence of an LDAP entry for betsy, authentication would fail.~~如果betsy没有LDAP条目，身份验证将失败。

SASL-Based LDAP Authentication基于SASL的LDAP身份验证

~~To configure a MySQL account for SASL LDAP authentication, the CREATE USER statement specifies the authentication_ldap_sasl plugin, and optionally names the LDAP user distinguished name (DN):~~要为SASL LDAP身份验证配置MySQL帐户，CREATE USER语句指定authentication_ldap_sasl插件，并可选择命名LDAP用户可分辨名称（DN）：

CREATE USER user
  IDENTIFIED WITH authentication_ldap_sasl
  [BY 'LDAP user DN'];

~~Suppose that MySQL user boris has this entry in the LDAP directory:~~假设MySQL用户boris在LDAP目录中有以下条目：

uid=boris_ldap,ou=People,dc=example,dc=com

~~Then the statement to create the MySQL account for boris looks like this:~~然后，为boris创建MySQL帐户的语句如下：

CREATE USER 'boris'@'localhost'
  IDENTIFIED WITH authentication_ldap_sasl
  AS 'uid=boris_ldap,ou=People,dc=example,dc=com';

~~Clients connect to the MySQL server by providing the MySQL user name and LDAP password:~~客户端通过提供MySQL用户名和LDAP密码连接到MySQL服务器：

shell> mysql --user=boris --password
Enter password: boris_password (boris_ldap LDAP password)

For the server-side authentication_ldap_sasl plugin, clients use the client-side authentication_ldap_sasl_client plugin. If a client program does not find the client-side plugin, specify a --plugin-dir option that names the directory where the plugin library file is installed.对于服务器端authentication_ldap_sasl插件，客户端使用客户端authentication_ldap_sasl_client插件。如果客户端程序找不到客户端插件，请指定一个--plugin-dir选项，该选项命名安装插件库文件的目录。

The authentication process for boris is similar to that previously described for betsy with simple LDAP authentication, except that the client-side and server-side SASL LDAP plugins use SASL messages for secure transmission of credentials within the LDAP protocol, to avoid sending the cleartext password between the MySQL client and server.boris的身份验证过程类似于之前描述的betsy的简单LDAP身份验证过程，除了客户端和服务器端的SASL LDAP插件使用SASL消息在LDAP协议中安全传输凭据，以避免在MySQL客户端和服务器之间发送明文密码。

LDAP Authentication with Proxying使用代理的LDAP身份验证

LDAP authentication plugins support proxying, enabling a user to connect to the MySQL server as one user but assume the privileges of a different user. This section describes basic LDAP plugin proxy support. LDAP身份验证插件支持代理，使用户能够以一个用户的身份连接到MySQL服务器，但承担其他用户的权限。本节介绍基本的LDAP插件代理支持。~~The LDAP plugins also support specification of group preference and proxy user mapping; see LDAP Authentication Group Preference and Mapping Specification.~~LDAP插件还支持组偏好和代理用户映射的规范；请参阅LDAP身份验证组首选项和映射规范。

The proxying implementation described here is based on use of LDAP group attribute values to map connecting MySQL users who authenticate using LDAP onto other MySQL accounts that define different sets of privileges. 这里描述的代理实现基于使用LDAP组属性值将使用LDAP进行身份验证的MySQL连接用户映射到定义不同权限集的其他MySQL帐户上。Users do not connect directly through the accounts that define the privileges. Instead, they connect through a default proxy account authenticated with LDAP, such that all external logins are mapped to the proxied MySQL accounts that hold the privileges. 用户不直接通过定义权限的帐户进行连接。相反，它们通过一个经过LDAP身份验证的默认代理帐户进行连接，这样所有外部登录都会映射到拥有特权的代理MySQL帐户。~~Any user who connects using the proxy account is mapped to one of those proxied MySQL accounts, the privileges for which determine the database operations permitted to the external user.~~任何使用代理帐户连接的用户都会映射到其中一个代理的MySQL帐户，其权限决定了允许外部用户进行的数据库操作。

~~The instructions here assume the following scenario:~~这里的说明假设了以下情况：

LDAP entries use the uid and cn attributes to specify user name and group values, respectively. To use different user and group attribute names, set the appropriate plugin-specific system variables:LDAP条目使用uid和cn属性分别指定用户名和组值。要使用不同的用户和组属性名称，请设置相应的插件特定系统变量：
- ~~For the authentication_ldap_simple plugin: Set authentication_ldap_simple_user_search_attr and authentication_ldap_simple_group_search_attr.~~对于authentication_ldap_simple插件：设置authentication_ldap_simple_user_search_attr和authentication_1dap_simple_group_search_attr。
- ~~For the authentication_ldap_sasl plugin: Set authentication_ldap_sasl_user_search_attr and authentication_ldap_sasl_group_search_attr.~~对于authentication_ldap_sasl插件：设置authentication_lodap_sasl_user_search_attr和authentication_ldap_sasl_group_search_attr。
~~These LDAP entries are available in the directory managed by the LDAP server, to provide distinguished name values that uniquely identify each user:~~这些LDAP条目在LDAP服务器管理的目录中可用，以提供唯一标识每个用户的可分辨名称值：
```
uid=basha,ou=People,dc=example,dc=com,cn=accounting
uid=basil,ou=People,dc=example,dc=com,cn=front_office
```
~~At connect time, the group attribute values become the authenticated user names, so they name the accounting and front_office proxied accounts.~~在连接时，组属性值将成为经过身份验证的用户名，因此它们将命名accounting和front_office代理的帐户。
~~The examples assume use of SASL LDAP authentication. Make the appropriate adjustments for simple LDAP authentication.~~这些示例假设使用SASL LDAP身份验证。对简单的LDAP身份验证进行适当的调整。

~~Create the default proxy MySQL account:~~创建默认代理MySQL帐户：

CREATE USER ''@'%'
  IDENTIFIED WITH authentication_ldap_sasl;

~~The proxy account definition has no AS 'auth_string' clause to name an LDAP user DN. Thus:~~代理帐户定义没有AS 'auth_string'子句来命名LDAP用户DN。因此：

~~When a client connects, the client user name becomes the LDAP user name to search for.~~当客户端连接时，客户端用户名将成为要搜索的LDAP用户名。
~~The matching LDAP entry is expected to include a group attribute naming the proxied MySQL account that defines the privileges the client should have.~~匹配的LDAP条目应包含一个组属性，该属性命名了代理的MySQL帐户，定义了客户端应具有的权限。

~~Note~~注意

~~If your MySQL installation has anonymous users, they might conflict with the default proxy user.~~ 如果你的MySQL安装有匿名用户，他们可能会与默认代理用户冲突。~~For more information about this issue, and ways of dealing with it, see Default Proxy User and Anonymous User Conflicts.~~有关此问题的更多信息以及处理方法，请参阅默认代理用户和匿名用户冲突。

~~Create the proxied accounts and grant to each one the privileges it should have:~~创建代理帐户并授予每个帐户应有的权限：

CREATE USER 'accounting'@'localhost'
  IDENTIFIED WITH mysql_no_login;
CREATE USER 'front_office'@'localhost'
  IDENTIFIED WITH mysql_no_login;

GRANT ALL PRIVILEGES
  ON accountingdb.*
  TO 'accounting'@'localhost';
GRANT ALL PRIVILEGES
  ON frontdb.*
  TO 'front_office'@'localhost';

~~The proxied accounts use the mysql_no_login authentication plugin to prevent clients from using the accounts to log in directly to the MySQL server.~~ 代理帐户使用mysql_no_login身份验证插件来防止客户端使用帐户直接登录mysql服务器。~~Instead, users who authenticate using LDAP are expected to use the default ''@'%' proxy account.~~ 相反，使用LDAP进行身份验证的用户应使用默认的''@'%'代理帐户。~~(This assumes that the mysql_no_login plugin is installed.~~ （这假设已安装mysql_no_login插件。~~For instructions, see Section 6.4.1.8, “No-Login Pluggable Authentication”.)~~ 有关说明，请参阅第6.4.1.8节，“无登录可插拔身份验证”。）~~For alternative methods of protecting proxied accounts against direct use, see Preventing Direct Login to Proxied Accounts.~~有关保护代理帐户免受直接使用的替代方法，请参阅防止直接登录代理帐户。

~~Grant to the proxy account the PROXY privilege for each proxied account:~~为每个代理帐户授予PROXY权限：

GRANT PROXY
  ON 'accounting'@'localhost'
  TO ''@'%';
GRANT PROXY
  ON 'front_office'@'localhost'
  TO ''@'%';

~~Use the mysql command-line client to connect to the MySQL server as basha.~~使用mysql命令行客户端以basha连接到mysql服务器。

shell> mysql --user=basha --password
Enter password: basha_password (basha LDAP password)

~~Authentication occurs as follows:~~身份验证过程如下：

~~The server authenticates the connection using the default ''@'%' proxy account, for client user basha.~~服务器使用客户端用户basha的默认''@'%'代理帐户对连接进行身份验证。
~~The matching LDAP entry is:~~匹配的LDAP条目为：
```
uid=basha,ou=People,dc=example,dc=com,cn=accounting
```
~~The matching LDAP entry has group attribute cn=accounting, so accounting becomes the authenticated proxied user.~~匹配的LDAP条目具有组属性cn=accounting，因此accounting成为经过身份验证的代理用户。
The authenticated user differs from the client user name basha, with the result that basha is treated as a proxy for accounting, and basha assumes the privileges of the proxied accounting account. The following query returns output as shown:经过身份验证的用户与客户端用户名basha不同，因此basha被视为会计的代理，basha享有代理会计帐户的特权。以下查询返回如下输出：
```
mysql> SELECT USER(), CURRENT_USER(), @@proxy_user;
+-----------------+----------------------+--------------+
| USER()          | CURRENT_USER()       | @@proxy_user |
+-----------------+----------------------+--------------+
| basha@localhost | accounting@localhost | ''@'%'       |
+-----------------+----------------------+--------------+
```

~~This demonstrates that basha uses the privileges granted to the proxied accounting MySQL account, and that proxying occurs through the default proxy user account.~~这表明basha使用授予代理会计MySQL帐户的权限，并且代理是通过默认代理用户帐户进行的。

~~Now connect as basil instead:~~现在改用basil连接：

shell> mysql --user=basil --password
Enter password: basil_password (basil LDAP password)

~~The authentication process for basil is similar to that previously described for basha:~~basil的身份验证过程与之前描述的basha类似：

~~The server authenticates the connection using the default ''@'%' proxy account, for client user basil.~~服务器使用客户端用户basil的默认''@'%'代理帐户对连接进行身份验证。

~~The matching LDAP entry is:~~匹配的LDAP条目为：

uid=basil,ou=People,dc=example,dc=com,cn=front_office

~~The matching LDAP entry has group attribute cn=front_office, so front_office becomes the authenticated proxied user.~~匹配的LDAP条目具有组属性cn=front_office，因此front_office成为经过身份验证的代理用户。
The authenticated user differs from the client user name basil, with the result that basil is treated as a proxy for front_office, and basil assumes the privileges of the proxied front_office account. 经过身份验证的用户与客户端用户名basil不同，因此basil被视为front_office的代理，basil承担了被代理的front-office帐户的权限。~~The following query returns output as shown:~~以下查询返回如下输出：
```
mysql> SELECT USER(), CURRENT_USER(), @@proxy_user;
+-----------------+------------------------+--------------+
| USER()          | CURRENT_USER()         | @@proxy_user |
+-----------------+------------------------+--------------+
| basil@localhost | front_office@localhost | ''@'%'       |
+-----------------+------------------------+--------------+
```

~~This demonstrates that basil uses the privileges granted to the proxied front_office MySQL account, and that proxying occurs through the default proxy user account.~~这表明basil使用授予代理的front_office MySQL帐户的权限，并且代理是通过默认代理用户帐户进行的。

LDAP Authentication Group Preference and Mapping SpecificationLDAP身份验证组首选项和映射规范

As described in LDAP Authentication with Proxying, basic LDAP authentication proxying works by the principle that the plugin uses the first group name returned by the LDAP server as the MySQL proxied user account name. 如LDAP身份验证与代理中所述，基本LDAP身份验证代理的工作原理是插件使用LDAP服务器返回的第一个组名作为MySQL代理的用户帐户名。This simple capability does not enable specifying any preference about which group name to use if the LDAP server returns multiple group names, or specifying any name other than the group name as the proxied user name.如果LDAP服务器返回多个组名，则此简单功能无法指定要使用的组名的任何首选项，也无法指定组名以外的任何名称作为代理用户名。

~~As of MySQL 8.0.14, for MySQL accounts that use LDAP authentication, the authentication string can specify the following information to enable greater proxying flexibility:~~从MySQL 8.0.14开始，对于使用LDAP身份验证的MySQL帐户，身份验证字符串可以指定以下信息，以实现更大的代理灵活性：

~~A list of groups in preference order, such that the plugin uses the first group name in the list that matches a group returned by the LDAP server.~~按首选项顺序排列的组列表，以便插件使用列表中与LDAP服务器返回的组匹配的第一个组名。
A mapping from group names to proxied user names, such that a group name when matched can provide a specified name to use as the proxied user. This provides an alternative to using the group name as the proxied user.从组名到代理用户名的映射，这样组名匹配时可以提供指定的名称作为代理用户使用。这提供了一种将组名用作代理用户的替代方法。

~~Consider the following MySQL proxy account definition:~~考虑以下MySQL代理帐户定义：

CREATE USER ''@'%'
  IDENTIFIED WITH authentication_ldap_sasl
  AS '+ou=People,dc=example,dc=com#grp1=usera,grp2,grp3=userc';

~~The authentication string has a user DN suffix ou=People,dc=example,dc=com prefixed by the + character.~~ 身份验证字符串具有用户DN后缀ou=People,dc=example,dc=com，前缀为+字符。~~Thus, as described in LDAP Authentication User DN Suffixes, the full user DN is constructed from the user DN suffix as specified, plus the client user name as the uid attribute.~~因此，如LDAP身份验证用户DN后缀中所述，完整用户DN是由指定的用户DN后缀加上客户端用户名作为uid属性构建的。

~~The remaining part of the authentication string begins with #, which signifies the beginning of group preference and mapping information.~~ 身份验证字符串的其余部分以#开头，表示组首选项和映射信息的开始。~~This part of the authentication string lists group names in the order grp1, grp2, grp3.~~ 这部分身份验证字符串按grp1、grp2、grp3的顺序列出组名。The LDAP plugin compares that list with the set of group names returned by the LDAP server, looking in list order for a match against the returned names. The plugin uses the first match, or if there is no match, authentication fails.LDAP插件将该列表与LDAP服务器返回的组名集进行比较，按列表顺序查找与返回名称的匹配。插件使用第一个匹配，或者如果没有匹配，则身份验证失败。

~~Suppose that the LDAP server returns groups grp3, grp2, and grp7.~~ 假设LDAP服务器返回组grp3、grp2和grp7。~~The LDAP plugin uses grp2 because it is the first group in the authentication string that matches, even though it is not the first group returned by the LDAP server.~~ LDAP插件使用grp2，因为它是身份验证字符串中第一个匹配的组，即使它不是LDAP服务器返回的第一个组。~~If the LDAP server returns grp4, grp2, and grp1, the plugin uses grp1 even though grp2 also matches.~~ 如果LDAP服务器返回grp4、grp2和grp1，则插件将使用grp1，即使grp2也匹配。~~grp1 has a precedence higher than grp2 because it is listed earlier in the authentication string.~~grp1的优先级高于grp2，因为它在身份验证字符串中较早列出。

~~Assuming that the plugin finds a group name match, it performs mapping from that group name to the MySQL proxied user name, if there is one. For the example proxy account, mapping occurs as follows:~~假设插件找到一个组名匹配，它会执行从该组名到MySQL代理用户名的映射（如果有的话）。对于示例代理帐户，映射过程如下：

If the matching group name is grp1 or grp3, those are associated in the authentication string with user names usera and userc, respectively. The plugin uses the corresponding associated user name as the proxied user name.如果匹配的组名是grp1或grp3，则它们在身份验证字符串中分别与用户名usera和userc相关联。插件使用相应的关联用户名作为代理用户名。
~~If the matching group name is grp2, there is no associated user name in the authentication string. The plugin uses grp2 as the proxied user name.~~如果匹配的组名为grp2，则身份验证字符串中没有关联的用户名。插件使用grp2作为代理用户名。

~~If the LDAP server returns a group in DN format, the LDAP plugin parses the group DN to extract the group name from it.~~如果LDAP服务器返回DN格式的组，LDAP插件将解析组DN以从中提取组名。

~~To specify LDAP group preference and mapping information, these principles apply:~~要指定LDAP组首选项和映射信息，请应用以下原则：

~~Begin the group preference and mapping part of the authentication string with a # prefix character.~~以组首选项开头，并用#前缀字符映射身份验证字符串的一部分。
~~The group preference and mapping specification is a list of one or more items, separated by commas.~~ 组首选项和映射规范是一个或多个项目的列表，用逗号分隔。~~Each item has the form group_name=user_name or group_name.~~ 每个项目的格式为group_name=user_name或group_name。Items should be listed in group name preference order. For a group name selected by the plugin as a match from set of group names returned by the LDAP server, the two syntaxes differ in effect as follows:项目应按组名首选顺序列出。对于插件从LDAP服务器返回的组名集中选择的匹配组名，这两种语法的效果不同，如下所示：
- ~~For an item specified as group_name=user_name (with a user name), the group name maps to the user name, which is used as the MySQL proxied user name.~~对于指定为group_name=user_name（带用户名）的项目，组名映射到用户名，该用户名用作MySQL代理的用户名。
- ~~For an item specified as group_name (with no user name), the group name is used as the MySQL proxied user name.~~对于指定为group_name（没有用户名）的项目，组名用作MySQL代理的用户名。
~~To quote a group or user name that contains special characters such as space, surround it by double quote (") characters.~~ 要引用包含空格等特殊字符的组或用户名，请用双引号（"）字符将其括起来。~~For example, if an item has group and user names of my group name and my user name, it must be written in a group mapping using quotes:~~例如，如果一个项目有my group name和my user name，那么它必须用引号写在组映射中：
```
"my group name"="my user name"
```
~~If an item has group and user names of my_group_name and my_user_name (which contain no special characters), it may but need not be written using quotes. Any of the following are valid:~~如果一个项目的组名和用户名为my_group_name和my_user_name（不包含特殊字符），则可以但不必使用引号书写。以下任何一项均有效：
```
my_group_name=my_user_name
my_group_name="my_user_name"
"my_group_name"=my_user_name
"my_group_name"="my_user_name"
```
~~To escape a character, precede it by a backslash (\). This is useful particularly to include a literal double quote or backslash, which are otherwise not included literally.~~要转义字符，请在字符前加一个反斜杠（\）。这对于包含文字双引号或反斜杠特别有用，否则它们不会按文字包含。
A user DN need not be present in the authentication string, but if present, it must precede the group preference and mapping part. A user DN can be given as a full user DN, or as a user DN suffix with a + prefix character. 用户DN不需要出现在身份验证字符串中，但如果存在，它必须位于组首选项和映射部分之前。用户DN可以作为完整用户DN给出，也可以作为带有+前缀字符的用户DN后缀给出。~~(See LDAP Authentication User DN Suffixes.)~~（请参阅LDAP身份验证用户DN后缀。）

LDAP Authentication User DN SuffixesLDAP身份验证用户DN后缀

~~LDAP authentication plugins permit the authentication string that provides user DN information to begin with a + prefix character:~~LDAP身份验证插件允许提供用户DN信息的身份验证字符串以+前缀字符开头：

~~In the absence of a + character, the authentication string value is treated as is without modification.~~在没有+字符的情况下，身份验证字符串值将按原样处理，无需修改。
If the authentication string begins with +, the plugin constructs the full user DN value from the user name sent by the client, together with the DN specified in the authentication string (with the + removed). 如果身份验证字符串以+开头，则插件将根据客户端发送的用户名以及身份验证字符串中指定的DN（删除+）构造完整的用户DN值。In the constructed DN, the client user name becomes the value of the attribute that specifies LDAP user names. This is uid by default; to change the attribute, modify the appropriate system variable (authentication_ldap_simple_user_search_attr or authentication_ldap_sasl_user_search_attr). 在构造的DN中，客户端用户名成为指定LDAP用户名的属性的值。默认情况下，这是uid；要更改该属性，请修改相应的系统变量（authentication_ldap_simple_user_search_attr或authentication_ldap_sasl_user_search_attr）。~~The authentication string is stored as given in the mysql.user system table, with the full user DN constructed on the fly before authentication.~~身份验证字符串按照mysql.user系统表中的给定存储，在身份验证之前动态构造完整的用户DN。

~~This account authentication string does not have + at the beginning, so it is taken as the full user DN:~~此帐户身份验证字符串开头没有+，因此将其视为完整用户DN：

CREATE USER 'baldwin'
  IDENTIFIED WITH authentication_ldap_simple
  AS 'uid=admin,ou=People,dc=example,dc=com';

~~The client connects with the user name specified in the account (baldwin). In this case, that name is not used because the authentication string has no prefix and thus fully specifies the user DN.~~客户端使用帐户中指定的用户名（baldwin）进行连接。在这种情况下，不使用该名称，因为身份验证字符串没有前缀，因此完全指定了用户DN。

~~This account authentication string does have + at the beginning, so it is taken as just part of the user DN:~~此帐户身份验证字符串的开头确实有+，因此它仅被视为用户DN的一部分：

CREATE USER 'accounting'
  IDENTIFIED WITH authentication_ldap_simple
  AS '+ou=People,dc=example,dc=com';

The client connects with the user name specified in the account (accounting), which in this case is used as the uid attribute together with the authentication string to construct the user DN: uid=accounting,ou=People,dc=example,dc=com客户端使用帐户（accounting）中指定的用户名连接，在这种情况下，该用户名与身份验证字符串一起用作uid属性，以构造用户DN：uid=accounting,ou=People,dc=example,dc=com

~~The accounts in the preceding examples have a nonempty user name, so the client always connects to the MySQL server using the same name as specified in the account definition.~~ 前面示例中的帐户具有非空用户名，因此客户端始终使用帐户定义中指定的相同名称连接到MySQL服务器。If an account has an empty user name, such as the default anonymous ''@'%' proxy account described in LDAP Authentication with Proxying, clients might connect to the MySQL server with varying user names. 如果帐户的用户名为空，例如LDAP代理身份验证中描述的默认匿名''@'%'代理帐户，客户端可能会使用不同的用户名连接到MySQL服务器。~~But the principle is the same: If the authentication string begins with +, the plugin uses the user name sent by the client together with the authentication string to construct the user DN.~~但原理是一样的：如果身份验证字符串以+开头，插件将使用客户端发送的用户名和身份验证字符串来构造用户DN。

LDAP Authentication MethodsLDAP身份验证方法

~~The LDAP authentication plugins use a configurable authentication method. The appropriate system variable and available method choices are plugin-specific:~~LDAP身份验证插件使用可配置的身份验证方法。适当的系统变量和可用的方法选择是特定于插件的：

~~For the authentication_ldap_simple plugin: Set the authentication_ldap_simple_auth_method_name system variable to configure the method.~~ 对于authentication_ldap_simple插件：设置authentication_ldap_simple_auth_method_name系统变量以配置方法。~~The permitted choices are SIMPLE and AD-FOREST.~~允许的选择是简单和最简单的。
~~For the authentication_ldap_sasl plugin: Set the authentication_ldap_sasl_auth_method_name system variable to configure the method.~~ 对于authentication_ldap_sasl插件：设置authentication_ldap_sasl_auth_method_name系统变量以配置方法。~~The permitted choices are SCRAM-SHA-1, SCRAM-SHA-256, and GSSAPI.~~ 允许的选择是SCRAM-SHA-1、SCRAM-SHA-256和GSSAPI。~~(To determine which SASL LDAP methods are actually available on the host system, check the value of the Authentication_ldap_sasl_supported_methods status variable.)~~（要确定哪些SASL LDAP方法在主机系统上实际可用，请检查AAuthentication_ldap_sasl_supported_methods状态变量的值。）

~~See the system variable descriptions for information about each permitted method. Also, depending on the method, additional configuration may be needed, as described in the following sections.~~有关每种允许方法的信息，请参阅系统变量说明。此外，根据方法的不同，可能需要额外的配置，如以下部分所述。

The GSSAPI/Kerberos Authentication MethodGSSAPI/Kerberos身份验证方法

~~Generic Security Service Application Program Interface (GSSAPI) is a security abstraction interface.~~ 通用安全服务应用程序接口（GSSAPI）是一个安全抽象接口。Kerberos is an instance of a specific security protocol that can be used through that abstract interface. Using GSSAPI, applications authenticate to Kerberos to obtain service credentials, then use those credentials in turn to enable secure access to other services.Kerberos是可以通过该抽象接口使用的特定安全协议的实例。使用GSSAPI，应用程序向Kerberos进行身份验证以获取服务凭据，然后依次使用这些凭据来实现对其他服务的安全访问。

~~One such service is LDAP, which is used by the client-side and server-side SASL LDAP authentication plugins.~~ 其中一种服务是LDAP，它由客户端和服务器端SASL LDAP身份验证插件使用。~~When the authentication_ldap_sasl_auth_method_name system variable is set to GSSAPI, these plugins use the GSSAPI/Kerberos authentication method.~~ 当authentication_ldap_sasl_auth_method_name系统变量设置为GSSAPI时，这些插件使用GSSAPI/Kerberos身份验证方法。In this case, the plugins communicate securely using Kerberos without using LDAP messages directly. The server-side plugin then communicates with the LDAP server to interpret LDAP authentication messages and retrieve LDAP groups.在这种情况下，插件使用Kerberos进行安全通信，而不直接使用LDAP消息。然后，服务器端插件与LDAP服务器通信，以解释LDAP身份验证消息并检索LDAP组。

GSSAPI/Kerberos is supported as an authentication method for MySQL clients and servers only on Linux. It is useful in Linux environments where applications access LDAP using Microsoft Active Directory, which has Kerberos enabled by default.GSSAPI/Kerberos仅在Linux上支持作为MySQL客户端和服务器的身份验证方法。在Linux环境中，当应用程序使用默认启用Kerberos的Microsoft 活动目录访问LDAP时，它非常有用。

The following discussion provides information about the configuration requirements for using the GSSAPI method. Familiarity is assumed with Kerberos concepts and operation, such as these common Kerberos terms:以下讨论提供了有关使用GSSAPI方法的配置要求的信息。假设熟悉Kerberos概念和操作，例如这些常见的Kerberos术语：

~~Principal = A named entity, such as a user or service.~~主体=一个命名实体，如用户或服务。
KDC = ~~The Key Distribution Center, comprising the AS and TGS.~~密钥分发中心，由AS和TGS组成。
AS = ~~The Authentication Server, part of the KDC; provides the initial ticket needed to obtain a TGT.~~身份验证服务器，KDC的一部分；提供获得TGT所需的初始票。
TGS = ~~The ticket-granting service, part of the KDC~~票证授予服务，KDC的一部分.
TGT = ~~The ticket-granting ticket, presented to the TGS to obtain service tickets for service access.~~向TGS出示的票授予票，以获得服务准入的服务票。

~~Kerberos authentication requires both a KDC server and an LDAP server. This requirement can be satisfied in different ways:~~Kerberos身份验证需要KDC服务器和LDAP服务器。可以通过不同的方式满足这一要求：

~~Active Directory includes both servers, with Kerberos authentication enabled by default in the Active Directory LDAP server.~~活动目录包括这两个服务器，默认情况下在活动目录 LDAP服务器中启用Kerberos身份验证。
~~OpenLDAP provides an LDAP server, but a separate KDC server may be needed, with additional Kerberos setup required.~~OpenLDAP提供了一个LDAP服务器，但可能需要一个单独的KDC服务器，并需要额外的Kerberos设置。

Kerberos must also be available on the client host. A client contacts the AS using a password to obtain a TGT. The client then uses the TGT to obtain access from the TGS to other services, such as LDAP.Kerberos也必须在客户端主机上可用。客户端使用密码联系AS以获取TGT。然后，客户端使用TGT从TGS访问其他服务，如LDAP。

~~The following sections discuss the configuration steps to use GSSAPI/Kerberos for SASL LDAP authentication in MySQL:~~以下部分讨论了在MySQL中使用GSSAPI/Kerberos进行SASL LDAP身份验证的配置步骤：

Check the Kerberos Setup检查Kerberos安装程序

~~The following example shows how to test availability of Kerberos in Active Directory. The example makes these assumptions:~~以下示例显示了如何在活动目录中测试Kerberos的可用性。该示例做出了以下假设：

~~Active Directory is running on the host named ldap_auth.example.com with IP address 198.51.100.10.~~活动目录正在名为ldap_auth.example.com的主机上运行，其IP地址为198.51.100.10。
~~MySQL-related Kerberos authentication and LDAP lookups use the MYSQL.LOCAL domain.~~MySQL相关的Kerberos身份验证和LDAP查找使用MYSQL.LOCAL域。
~~A principal named bredon@MYSQL.LOCAL is registered with the KDC.~~ 一位校长bredon@MYSQL.LOCAL已在KDC注册。~~(In later discussion, this principal name is also used for the MySQL user that authenticates to the MySQL server using GSSAPI/Kerberos.)~~（在后面的讨论中，此主体名称也用于使用GSSAPI/Kerberos向MySQL服务器进行身份验证的MySQL用户。）

~~With those assumptions satisfied, follow this procedure:~~在满足这些假设的情况下，请遵循以下程序：

~~Verify that the Kerberos library is installed and configured correctly in the operating system.~~ 验证Kerberos库是否已在操作系统中正确安装和配置。~~For example, to configure a MYSQL.LOCAL domain for use during MySQL authentication, the /etc/krb5.conf Kerberos configuration file should contain something like this:~~例如，要配置MySQL身份验证期间使用的MYSQL.LOCAL域，/etc/krb5.conf Kerberos配置文件应包含以下内容：
```
[realms]
  MYSQL.LOCAL = {
    kdc = ldap_auth.example.com
    admin_server = ldap_auth.example.com
    default_domain = MYSQL.LOCAL
  }
```
~~You may need to add an entry to /etc/hosts for the server host:~~您可能需要在/etc/hosts中为服务器主机添加一个条目：
```
198.51.100.10 ldap_auth ldap_auth.example.com
```
~~Check whether Kerberos authentication works correctly:~~检查Kerberos身份验证是否正常工作：
1. ~~Use kinit to authenticate to Kerberos:~~使用kinit对Kerberos进行身份验证：
```
kinit bredon@MYSQL.LOCAL
```
  ~~The command authenticates for the Kerberos principal named bredon@MYSQL.LOCAL.~~ 该命令对名为的Kerberos主体进行身份验bredon@MYSQL.LOCAL~~Enter the principal's password when the command prompts for it.~~ 当命令提示输入主体密码时，输入主体密码。~~The KDC returns a TGT that is cached on the client side for use by other Kerberos-aware applications.~~KDC返回一个TGT，该TGT在客户端缓存，供其他支持Kerberos的应用程序使用。
2. ~~Use klist to check whether the TGT was obtained correctly. The output should be similar to this:~~使用klist检查TGT是否正确获得。输出应类似于以下内容：
```
Ticket cache: FILE:/tmp/krb5cc_244306
Default principal: bredon@MYSQL.LOCAL

Valid starting       Expires              Service principal
03/23/2020 08:18:33  03/23/2020 18:18:33  krbtgt/MYSQL.LOCAL@MYSQL.LOCAL
```
~~Check whether ldapsearch works with the Kerberos TGT using this command, which searches for users in the MYSQL.LOCAL domain:~~使用以下命令检查ldapsearch是否与Kerberos TGT一起工作，该命令在MYSQLLOCAL域中搜索用户：
```
ldapsearch -h 198.51.100.10 -Y GSSAPI -b "dc=MYSQL,dc=LOCAL"
```

Configure the Server-Side SASL LDAP Authentication Plugin for GSSAPI/Kerberos为GSSAPI/Kerberos配置服务器端SASL LDAP身份验证插件

~~Assuming that the LDAP server is accessible through Kerberos as just described, configure the server-side SASL LDAP authentication plugin to use the GSSAPI/Kerberos authentication method.~~ 假设LDAP服务器可以通过Kerberos访问，如上所述，配置服务器端SASL LDAP身份验证插件以使用GSSAPI/Kerberos身份验证方法。~~(For general LDAP plugin installation information, see Installing LDAP Pluggable Authentication.)~~ （有关LDAP插件的一般安装信息，请参阅安装LDAP可插拔身份验证。）~~Here is an example of plugin-related settings the server my.cnf file might contain:~~以下是服务器my.cnf文件可能包含的插件相关设置示例：

[mysqld]
plugin-load-add=authentication_ldap_sasl.so
authentication_ldap_sasl_auth_method_name="GSSAPI"
authentication_ldap_sasl_server_host=198.51.100.10
authentication_ldap_sasl_server_port=389
authentication_ldap_sasl_bind_root_dn="cn=admin,cn=users,dc=MYSQL,dc=LOCAL"
authentication_ldap_sasl_bind_root_pwd="password"
authentication_ldap_sasl_bind_base_dn="cn=users,dc=MYSQL,dc=LOCAL"
authentication_ldap_sasl_user_search_attr="sAMAccountName"

~~Those option file settings configure the SASL LDAP plugin as follows:~~这些选项文件设置按如下方式配置SASL LDAP插件：

~~The --plugin-load-add option loads the plugin (adjust the .so suffix for your platform as necessary).~~ --plugin-load-add选项加载插件（根据需要调整您的平台的.so后缀）。~~If you loaded the plugin previously using an INSTALL PLUGIN statement, this option is unnecessary.~~如果您之前使用INSTALL PLUGIN语句加载了插件，则此选项是不必要的。
~~authentication_ldap_sasl_auth_method_name must be set to GSSAPI to use GSSAPI/Kerberos as the SASL LDAP authentication method.~~authentication_ldap_sasl_auth_method_name必须设置为GSSAPI，才能使用GSSAPI/Kerberos作为sasl ldap身份验证方法。
~~authentication_ldap_sasl_server_host and authentication_ldap_sasl_server_port indicate the IP address and port number of the Active Directory server host for authentication.~~authentication_ldap_sasl_server_host和authentication_ldap_sasl_server_port表示用于身份验证的活动目录服务器主机的IP地址和端口号。
~~authentication_ldap_sasl_bind_root_dn and authentication_ldap_sasl_bind_root_pwd configure the root DN and password for group search capability.~~ authentication_ldap_sasl_bind_root_dn和authentication_ldap_sasl_bind_root_pwd配置组搜索功能的根dn和密码。~~This capability is required, but users may not have privileges to search. In such cases, it is necessary to provide root DN information:~~此功能是必需的，但用户可能没有搜索权限。在这种情况下，有必要提供根DN信息：
- ~~In the DN option value, admin should be the name of an administrative LDAP account that has privileges to perform user searches.~~在DN选项值中，admin应该是具有执行用户搜索权限的管理LDAP帐户的名称。
- ~~In the password option value, password should be the admin account password.~~在密码选项值中，password应该是admin帐户密码。
~~authentication_ldap_sasl_bind_base_dn indicates the user DN base path, so that searches look for users in the MYSQL.LOCAL domain.~~authentication_ldap_sasl_bind_base_dn表示用户DN基本路径，以便搜索在MYSQL.LOCAL域中查找用户。
~~authentication_ldap_sasl_user_search_attr specifies a standard Active Directory search attribute, sAMAccountName.~~ authentication_ldap_sasl_user_search_attr指定了一个标准的活动目录搜索属性sAMAccountName。~~This attribute is used in searches to match logon names; attribute values are not the same as the user DN values.~~此属性用于搜索以匹配登录名；属性值与用户DN值不同。

Create a MySQL Account That Uses GSSAPI/Kerberos创建一个使用GSSAPI/Kerberos的MySQL帐户

~~MySQL authentication using the SASL LDAP authentication plugin with the GSSAPI/Kerberos method is based on a user that is a Kerberos principal.~~ 使用SASL LDAP身份验证插件和GSSAPI/Kerberos方法的MySQL身份验证基于Kerberos主体用户。~~The following discussion uses a principal named bredon@MYSQL.LOCAL as this user, which must be registered in several places:~~以下讨论使用了一个名为bredon@MYSQL.LOCAL作为该用户，必须在多个地方注册：

The Kerberos admininistrator should register the user name as a Kerberos principal. This name should include a domain name. The principal name and password are used by clients to authenticate with Kerberos and obtain a TGT.Kerberos管理员应将用户名注册为Kerberos主体。此名称应包含域名。客户端使用主体名称和密码通过Kerberos进行身份验证并获得TGT。
~~The LDAP administrator should register the user name in an LDAP entry. For example:~~LDAP管理员应在LDAP条目中注册用户名。例如：
```
uid=bredon,dc=MYSQL,dc=LOCAL
```
~~Note~~注意

~~In Active Directory (which uses Kerberos as the default authentication method), creating a user creates both the Kerberos principal and the LDAP entry.~~在活动目录（使用Kerberos作为默认身份验证方法）中，创建用户会创建Kerberos主体和LDAP条目。
~~The MySQL DBA should create an account that has the Kerberos principal name as the user name, and that authenticates using the SASL LDAP plugin.~~MySQL DBA应该创建一个以Kerberos主体名称作为用户名的帐户，并使用SASL LDAP插件进行身份验证。

Assuming that the Kerberos principal and LDAP entry have been registered by the appropriate service administrators, and that the MySQL server has been started using the my.cnf settings previously described, create a MySQL account that corresponds to the Kerberos principal name, including the domain name.假设Kerberos主体和LDAP条目已由相应的服务管理员注册，并且MySQL服务器已使用前面描述的mycnf设置启动，则创建一个与Kerberos主体名称（包括域名）对应的MySQL帐户。

~~Note~~注意

~~The SASL LDAP plugin uses a constant user DN for Kerberos authentication and ignores any user DN configured from MySQL. This has certain implications:~~SASL LDAP插件使用恒定的用户DN进行Kerberos身份验证，并忽略从MySQL配置的任何用户DN。这具有一定的含义：

~~For any MySQL account that uses GSSAPI/Kerberos authentication, the authentication string in CREATE USER or ALTER USER statements should contain no user DN because it has no effect.~~对于任何使用GSSAPI/Kerberos身份验证的MySQL帐户，CREATE USER或ALTER USER语句中的身份验证字符串不应包含用户DN，因为它无效。
~~Because the authentication string contains no user DN, it should contain group mapping information, to enable the user to be handled as a proxy user that is mapped onto the desired proxied user.~~ 因为身份验证字符串不包含用户DN，所以它应该包含组映射信息，以便将用户作为映射到所需代理用户的代理用户来处理。~~For information about proxying with the LDAP authentication plugin, see LDAP Authentication with Proxying.~~有关使用LDAP身份验证插件进行代理的信息，请参阅使用代理进行LDAP身份验证。

The following statements create a proxy user named bredon@MYSQL.LOCAL that assumes the privileges of the proxied user named proxied_krb_usr. Other GSSAPI/Kerberos users that should have the same privileges can similarly be created as proxy users for the same proxied user.以下语句创建了一个名为的代理用户bredon@MYSQL.LOCAL这假定了名为proxied.krb_usr的被代理用户的权限。其他应该具有相同权限的GSSAPI/Kerberos用户也可以类似地创建为同一代理用户的代理用户。

-- create proxy account
CREATE USER 'bredon@MYSQL.LOCAL'
  IDENTIFIED WITH authentication_ldap_sasl
  BY '#krb_grp=proxied_krb_user';

-- create proxied account and grant its privileges;
-- use mysql_no_login plugin to prevent direct login
CREATE USER 'proxied_krb_user'
  IDENTIFIED WITH mysql_no_login;
GRANT ALL
  ON krb_user_db.*
  TO 'proxied_krb_user';

-- grant to proxy account the
-- PROXY privilege for proxied account
GRANT PROXY
  ON 'proxied_krb_user'
  TO 'bredon@MYSQL.LOCAL';

~~Observe closely the quoting for the proxy account name in the first CREATE USER statement and the GRANT PROXY statement:~~仔细观察第一个CREATE USER语句和GRANT PROXY语句中代理帐户名称的引号：

~~For most MySQL accounts, the user and host are separate parts of the account name, and thus are quoted separately as 'user_name'@'host_name'.~~对于大多数MySQL帐户，用户和主机是帐户名的单独部分，因此分别引用为'user_name'@'host_name'。
~~For Kerberos authentication, the user part of the account name includes the principal domain, so 'bredon@MYSQL.LOCAL' is quoted as a single value.~~ 对于Kerberos身份验证，帐户名的用户部分包括主体域，因此'bredon@MYSQL.LOCAL'被引用为单个值。~~Because no host part is given, the full MySQL account name uses the default of '%' as the host part: 'bredon@MYSQL.LOCAL'@'%'~~由于没有给出主机部分，MySQL完整帐户名使用默认的'%'作为主机部分：'bredon@MYSQL.LOCAL'@'%'

~~The proxied account uses the mysql_no_login authentication plugin to prevent clients from using the account to log in directly to the MySQL server.~~ 代理帐户使用mysql_no_login身份验证插件来防止客户端使用该帐户直接登录mysql服务器。Instead, it is expected that users who authenticate using LDAP use the bredon@MYSQL.LOCAL proxy account. (This assumes that the mysql_no_login plugin is installed. For instructions, see Section 6.4.1.8, “No-Login Pluggable Authentication”.) 相反，预计使用LDAP进行身份验证的用户会使用bredon@MYSQL.LOCAL代理帐户。（这假设已安装mysql_no_login插件。有关说明，请参阅第6.4.1.8节，“无登录可插拔身份验证”。）~~For alternative methods of protecting proxied accounts against direct use, see Preventing Direct Login to Proxied Accounts.~~有关保护代理帐户免受直接使用的替代方法，请参阅防止直接登录代理帐户。

Use the MySQL Account to Connect to the MySQL Server使用MySQL帐户连接到MySQL服务器

After a MySQL account that uses GSSAPI/Kerberos has been set up, clients can authenticate to Kerberos and use the account to connect to the MySQL server. Kerberos authentication can take place either prior to or at the time of MySQL client program invocation:在设置了使用GSSAPI/Kerberos的MySQL帐户后，客户端可以通过Kerberos进行身份验证，并使用该帐户连接到MySQL服务器。Kerberos身份验证可以在MySQL客户端程序调用之前或之时进行：

~~The client user can obtain a TGT independently of MySQL prior to invoking the MySQL client program.~~ 客户端用户可以在调用MySQL客户端程序之前独立于MySQL获得TGT。~~For example, the client user can use kinit to authenticate to Kerberos by providing a Kerberos principal name and the principal password.~~ 例如，客户端用户可以通过提供Kerberos主体名称和主体密码，使用kinit对Kerberos进行身份验证。~~The TGT is cached and becomes available for use by other Kerberos-aware applications, such as the client-side SASL LDAP authentication plugin.~~ TGT被缓存，并可供其他支持Kerberos的应用程序使用，例如客户端SASL LDAP身份验证插件。~~In this case, the MySQL client program authenticates to the MySQL server using the TGT, so invoke the client without specifying a user name or password:~~在这种情况下，MySQL客户端程序使用TGT向MySQL服务器进行身份验证，因此无需指定用户名或密码即可调用客户端：
```
shell> kinit bredon@MYSQL.LOCAL
Password for bredon@MYSQL.LOCAL: (enter password here)
shell> mysql --default-auth=authentication_ldap_sasl_client
```
~~If the MySQL client command does include credentials, they are handled as follows:~~如果MySQL客户端命令确实包含凭据，则按如下方式处理：
- ~~If the command includes a user name, authentication fails if that name does not match the principal name in the TGT.~~如果命令包含用户名，如果该名称与TGT中的主体名称不匹配，则身份验证失败。
- ~~If the command includes a password, the password is ignored.~~ 如果命令中包含密码，则忽略该密码。~~Because authentication is based on the TGT, it can succeed even if the user-provided password is incorrect.~~ 因为身份验证基于TGT，所以即使用户提供的密码不正确，它也可以成功。~~For this reason, the plugin produces a warning if a valid TGT is found that causes a password to be ignored.~~因此，如果发现有效的TGT导致密码被忽略，插件会发出警告。
If there is no TGT, the client-side SASL LDAP authentication plugin itself can obtain the TGT from the KDC. In this case, to invoke the client, specify the name and password of the Kerberos principal associated with the MySQL account (enter the command on a single line, then enter the principal password at the prompt):如果没有TGT，客户端SASL LDAP身份验证插件本身可以从KDC获取TGT。在这种情况下，要调用客户端，请指定与MySQL帐户关联的Kerberos主体的名称和密码（在单行中输入命令，然后在提示符处输入主体密码）：
```
shell> mysql --default-auth=authentication_ldap_sasl_client
--user=bredon@MYSQL.LOCAL
--password
Enter password: (enter password here)
```
~~If the client command specifies no principal name as the user name and the client-side plugin finds the Kerberos cache empty because there is no TGT, authentication fails.~~如果客户端命令没有指定主体名称作为用户名，并且客户端插件发现Kerberos缓存为空，因为没有TGT，则身份验证失败。

~~If you are uncertain whether a TGT exists, you can use klist to check.~~如果您不确定TGT是否存在，可以使用klist进行检查。

~~Authentication occurs as follows:~~身份验证过程如下：

~~The client uses the TGT to authenticate using Kerberos.~~客户端使用TGT通过Kerberos进行身份验证。
~~The server finds the LDAP entry for the principal and uses it to authenticate the connection for the bredon@MYSQL.LOCAL MySQL proxy account.~~服务器找到主体的LDAP条目，并使用它对连接进行身份验证bredon@MYSQL.LOCAL代理帐户。
~~The group mapping information in the proxy account authentication string ('#krb_grp=proxied_krb_user') indicates that the authenticated proxied user should be proxied_krb_user.~~代理帐户身份验证字符串（'#krb_grp=proxied_krb_user'）中的组映射信息表明，经过身份验证的代理用户应该是proxied_krb_user。
~~bredon@MYSQL.LOCAL is treated as a proxy for proxied_krb_user, and the following query returns output as shown:~~bredon@MYSQL.LOCAL被视为proxied_krb_user的代理，以下查询返回输出，如图所示：
```
mysql> SELECT USER(), CURRENT_USER(), @@proxy_user;
+------------------------------+--------------------+--------------------------+
| USER()                       | CURRENT_USER()     | @@proxy_user             |
+------------------------------+--------------------+--------------------------+
| bredon@MYSQL.LOCAL@localhost | proxied_krb_user@% | 'bredon@MYSQL.LOCAL'@'%' |
+------------------------------+--------------------+--------------------------+
```
~~The USER() value indicates the user name used for the client command (bredon@MYSQL.LOCAL) and the host from which the client connected (localhost).~~USER()值表示用于客户端命令的用户名(bredon@MYSQL.LOCAL)以及客户端连接的主机（localhost）。

~~The CURRENT_USER() value is the full name of the proxied user account, which consists of the proxied_krb_user user part and the % host part.~~CURRENT_USER()值是代理用户帐户的全名，它由proxied_krb_user用户部分和%主机部分组成。

~~The @@proxy_user value indicates the full name of the account used to make the connection to the MySQL server, which consists of the bredon@MYSQL.LOCAL user part and the % host part.~~@@proxy_user值表示用于连接MySQL服务器的帐户的全名，包括bbredon@MYSQL.LOCAL用户部分和%主机部分。

~~This demonstrates that proxying occurs through the bredon@MYSQL.LOCAL proxy user account, and that bredon@MYSQL.LOCAL assumes the privileges granted to the proxied_krb_user proxied user account.~~这表明代理是通过bredon@MYSQL.LOCAL代理用户帐户，以及bredon@MYSQL.LOCAL假定授予proxied_krb_user代理用户帐户的特权。

A TGT once obtained is cached on the client side and can be used until it expires without specifying the password again. However the TGT is obtained, the client-side plugin uses it to acquire service tickets and communicate with the server-side plugin.一旦获得TGT，它就会在客户端缓存，并且可以在到期之前使用，而无需再次指定密码。无论如何获得TGT，客户端插件都会使用它来获取服务票并与服务器端插件通信。

~~When the client-side plugin itself obtains the TGT, the client user may not want the TGT to be reused.~~ 当客户端插件本身获得TGT时，客户端用户可能不希望重用TGT。~~As described in /etc/krb5.conf Client Configuration Parameters, the local /etc/krb5.conf file can be used to cause the client-side plugin to destroy the TGT when done with it.~~如/etc/krb5.conf客户端配置参数中所述，本地/etc/krb5.conf文件可用于使客户端插件在完成TGT后销毁TGT。

~~The server-side plugin has no access to the TGT itself or the Kerberos password used to obtain it.~~服务器端插件无法访问TGT本身或用于获取TGT的Kerberos密码。

The LDAP authentication plugins have no control over the caching mechanism (storage in a local file, in memory, and so forth), but Kerberos utilities such as kswitch may be available for this purpose.LDAP身份验证插件无法控制缓存机制（存储在本地文件、内存等中），但kswitch等Kerberos实用程序可能可用于此目的。

/etc/krb5.conf Client Configuration Parameters客户端配置参数

~~The client-side SASL LDAP plugin reads the local /etc/krb5.conf file.~~ 客户端SASL LDAP插件读取本地/etc/krb5.conf文件。~~If this file is missing or inaccessible, an error occurs.~~ 如果此文件丢失或无法访问，则会发生错误。~~Assuming that the file is accessible, the optional [appdefaults] section can be used to provide information used by the plugin.~~ 假设文件是可访问的，则可选的[appdefaults]部分可用于提供插件使用的信息。~~Place such information within the MySQL part of the section. For example:~~将此类信息放在该部分的MySQL部分。例如：

[appdefaults]
  MySQL = {
    ldap_server_host = "ldap_host.example.com"
    ldap_destroy_tgt = true
  }

~~The client-side plugin recognizes these parameters in the MySQL section:~~客户端插件在MySQL部分识别这些参数：

~~The ldap_server_host value specifies the LDAP server host and can be useful when that host differs from the KDC server host specified in the [realms] section.~~ ldap_server_host值指定ldap服务器主机，当该主机与[arvers]部分中指定的KDC服务器主机不同时，它可能很有用。~~By default, the plugin uses the KDC server host as the LDAP server host.~~默认情况下，插件使用KDC服务器主机作为LDAP服务器主机。
~~The ldap_destroy_tgt value indicates whether the client-side plugin destroys the TGT after obtaining and using it.~~ ldap_destroy_tgt值表示客户端插件在获取并使用tgt后是否会销毁它。~~By default, ldap_destroy_tgt is false, but can be set to true to avoid TGT reuse.~~ 默认情况下，ldap_destroy_tgt为false，但可以设置为true以避免tgt重用。~~(This setting applies only to TGTs created by the client-side plugin, not TGTs created externally to MySQL.)~~（此设置仅适用于客户端插件创建的TGT，不适用于MySQL外部创建的TGTs。）

LDAP Search ReferralLDAP搜索引用

~~An LDAP server can be configured to delegate LDAP searches to another LDAP server, a functionality known as LDAP referral.~~ LDAP服务器可以配置为将LDAP搜索委托给另一个LDAP服务器，这一功能称为LDAP引用。~~Suppose that the server a.example.com holds a "dc=example,dc=com" root DN and wishes to delegate searches to another server b.example.com.~~ 假设服务器a.example.com拥有一个"dc=example,dc=com"根DN，并希望将搜索委托给另一个服务器b.example.com。~~To enable this, a.example.com would be configured with a named referral object having these attributes:~~为了实现这一点，a.example.com将配置一个具有以下属性的命名引用对象：

dn: dc=subtree,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
dc: subtree
ref: ldap://b.example.com/dc=subtree,dc=example,dc=com

~~An issue with enabling LDAP referral is that searches can fail with LDAP operation errors when the search base DN is the root DN, and referral objects are not set.~~ 启用LDAP引用的一个问题是，当搜索基DN是根DN并且未设置引用对象时，搜索可能会因LDAP操作错误而失败。~~A MySQL DBA might wish to avoid such referral errors for the LDAP authentication plugins, even though LDAP referral might be set globally in the ldap.conf configuration file.~~ MySQL DBA可能希望避免LDAP身份验证插件出现此类引用错误，即使LDAP引用可能在ldap.conf配置文件中全局设置。To configure on a plugin-specific basis whether the LDAP server should use LDAP referral when communicating with each plugin, set the authentication_ldap_simple_referral and authentication_ldap_sasl_referral system variables. 要在特定于插件的基础上配置LDAP服务器在与每个插件通信时是否应使用LDAP引用，请设置authentication_ldap_simple_referral和authentication_ldap_sasl_referral系统变量。~~Setting either variable to ON or OFF causes the corresponding LDAP authentication plugin to tell the LDAP server whether to use referral during MySQL authentication.~~ 将变量设置为ON或OFF会导致相应的LDAP身份验证插件告诉LDAP服务器在MySQL身份验证期间是否使用引用。~~Each variable has a plugin-specific effect and does not affect other applications that communicate with the LDAP server. Both variables are OFF by default.~~每个变量都有特定于插件的效果，不会影响与LDAP服务器通信的其他应用程序。默认情况下，这两个变量都是OFF的。