Merge lp:~hingo/drizzle/drizzle-auth_ldap-fix-and-docs into lp:~drizzle-trunk/drizzle/development
- drizzle-auth_ldap-fix-and-docs
- Merge into development
Status: | Merged |
---|---|
Approved by: | Mark Atwood |
Approved revision: | 2463 |
Merged at revision: | 2469 |
Proposed branch: | lp:~hingo/drizzle/drizzle-auth_ldap-fix-and-docs |
Merge into: | lp:~drizzle-trunk/drizzle/development |
Diff against target: |
630 lines (+466/-18) 4 files modified
plugin/auth_ldap/auth_ldap.cc (+18/-5) plugin/auth_ldap/docs/index.rst (+445/-10) plugin/auth_ldap/plugin.ini (+2/-2) plugin/auth_ldap/schema/drizzle_create_ldap_user (+1/-1) |
To merge this branch: | bzr merge lp:~hingo/drizzle/drizzle-auth_ldap-fix-and-docs |
Related bugs: | |
Related blueprints: |
Documentation focus areas for 7.1 release
(Undefined)
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Henrik Ingo | Needs Resubmitting | ||
Mark Atwood | Needs Fixing | ||
Stewart Smith (community) | Approve | ||
Drizzle Merge Team | Pending | ||
Review via email: mp+84020@code.launchpad.net |
Commit message
Description of the change
The intent was to document how to use auth_ldap. The documentation should now be extensive.
I also fixed like 5 bugs. Details in each commit message.
Mark Atwood (fallenpegasus) wrote : | # |
Please fix and resubmit.
http://
../plugin/
../plugin/
../plugin/
make[3]: *** [plugin/
- 2464. By Henrik Ingo
-
Fix old DRIZZLE_PLUGIN macro and plugin.ini that both were giving
build errors.
Henrik Ingo (hingo) wrote : | # |
Ah, I thought that went away. Ok, so I shouldn't put quotes in plugin.ini and then I also switched to newer DRIZZLE_
Preview Diff
1 | === modified file 'plugin/auth_ldap/auth_ldap.cc' |
2 | --- plugin/auth_ldap/auth_ldap.cc 2011-02-17 00:14:13 +0000 |
3 | +++ plugin/auth_ldap/auth_ldap.cc 2011-12-08 13:36:42 +0000 |
4 | @@ -51,7 +51,7 @@ |
5 | std::string password_attribute; |
6 | std::string DEFAULT_PASSWORD_ATTRIBUTE= "userPassword"; |
7 | std::string mysql_password_attribute; |
8 | -const std::string DEFAULT_MYSQL_PASSWORD_ATTRIBUTE= "mysqlUserPassword"; |
9 | +const std::string DEFAULT_MYSQL_PASSWORD_ATTRIBUTE= "drizzleMysqlUserPassword"; |
10 | static const int DEFAULT_CACHE_TIMEOUT= 600; |
11 | typedef constrained_check<int, DEFAULT_CACHE_TIMEOUT, 0, 2147483647> cachetimeout_constraint; |
12 | static cachetimeout_constraint cache_timeout= 0; |
13 | @@ -272,7 +272,7 @@ |
14 | |
15 | void AuthLDAP::lookupUser(const string& user) |
16 | { |
17 | - string filter("(cn=" + user + ")"); |
18 | + string filter("(uid=" + user + ")"); |
19 | const char *attributes[3]= |
20 | { |
21 | (char *)password_attribute.c_str(), |
22 | @@ -421,7 +421,7 @@ |
23 | |
24 | context.registerVariable(new sys_var_const_string_val("uri", uri)); |
25 | context.registerVariable(new sys_var_const_string_val("bind-dn", bind_dn)); |
26 | - context.registerVariable(new sys_var_const_string_val("bind-password", bind_password)); |
27 | + //context.registerVariable(new sys_var_const_string_val("bind-password", bind_password)); |
28 | context.registerVariable(new sys_var_const_string_val("base-dn", base_dn)); |
29 | context.registerVariable(new sys_var_const_string_val("password-attribute",password_attribute)); |
30 | context.registerVariable(new sys_var_const_string_val("mysql-password-attribute", mysql_password_attribute)); |
31 | @@ -435,7 +435,7 @@ |
32 | { |
33 | context("uri", po::value<string>(&uri)->default_value(DEFAULT_URI), |
34 | N_("URI of the LDAP server to contact")); |
35 | - context("bind-db", po::value<string>(&bind_dn)->default_value(""), |
36 | + context("bind-dn", po::value<string>(&bind_dn)->default_value(""), |
37 | N_("DN to use when binding to the LDAP server")); |
38 | context("bind-password", po::value<string>(&bind_password)->default_value(""), |
39 | N_("Password to use when binding the DN")); |
40 | @@ -451,4 +451,17 @@ |
41 | |
42 | } /* namespace auth_ldap */ |
43 | |
44 | -DRIZZLE_PLUGIN(auth_ldap::init, NULL, auth_ldap::init_options); |
45 | +DRIZZLE_DECLARE_PLUGIN |
46 | +{ |
47 | + DRIZZLE_VERSION_ID, |
48 | + "auth_ldap", |
49 | + "0.2", |
50 | + "Eric Day, Henrik Ingo, Edward Konetzko", |
51 | + "LDAP based authenication.", |
52 | + PLUGIN_LICENSE_GPL, |
53 | + auth_ldap::init, /* Plugin Init */ |
54 | + NULL, /* depends */ |
55 | + auth_ldap::init_options /* config options */ |
56 | +} |
57 | +DRIZZLE_DECLARE_PLUGIN_END; |
58 | + |
59 | |
60 | === modified file 'plugin/auth_ldap/docs/index.rst' |
61 | --- plugin/auth_ldap/docs/index.rst 2011-11-06 00:00:03 +0000 |
62 | +++ plugin/auth_ldap/docs/index.rst 2011-12-08 13:36:42 +0000 |
63 | @@ -7,6 +7,18 @@ |
64 | using an :abbr:`LDAP (Lightweight Directory Access Protocol)` server. An |
65 | LDAP server is required to provide authentication. |
66 | |
67 | +Note that a typical use case for using LDAP based authentication, and the |
68 | +intention with this module, is to be able to consolidate your Drizzle usernames |
69 | +and passwords in cases where you are already using LDAP in your organization |
70 | +(such as for Linux or Windows or other system passwords). |
71 | + |
72 | +If you are not currently using LDAP for any kind of authentication, you should |
73 | +be aware that this is not the simplest authentication method available. For other |
74 | +alternatives for managing Drizzle users and passwords, see |
75 | +:doc:`/administration/authentication`. A simple authentication module, whose |
76 | +behavior will be familiar to those familiar with MySQL and its method for |
77 | +storing usernames and passwords, is the :doc:`/plugins/auth_schema/index` plugin. |
78 | + |
79 | .. note:: |
80 | |
81 | Unload the :doc:`/plugins/auth_all/index` plugin before using this plugin. |
82 | @@ -22,7 +34,12 @@ |
83 | |
84 | --plugin-add=auth_ldap |
85 | |
86 | -Loading the plugin may not enable or configure it. See the plugin's |
87 | +Or, to disable the ability to login without a password, use:: |
88 | + |
89 | + --plugin-add=auth_pam --plugin-remove=auth_all |
90 | + |
91 | +Just loading this plugin will not enable or configure it. To actually bind to an |
92 | +LDAP directory you also need to configure it. See the plugin's |
93 | :ref:`auth_ldap_configuration` and :ref:`auth_ldap_variables`. |
94 | |
95 | .. seealso:: :ref:`drizzled_plugin_options` for more information about adding and removing plugins. |
96 | @@ -45,34 +62,56 @@ |
97 | |
98 | DN to use when searching. |
99 | |
100 | -.. option:: --auth-ldap.bind-db ARG |
101 | + Drizzle uses the ``LDAP_SCOPE_ONELEVEL`` option when searching the LDAP |
102 | + directory. This means you must specify the full base-dn. For instance, if |
103 | + you have users defined in the dn ``ou=people,dn=example,dn=com`` authentication |
104 | + will fail if you only specify ``dn=example,dn=com``. (See |
105 | + :ref:`auth_ldap_limitations`) |
106 | + |
107 | +.. option:: --auth-ldap.bind-dn ARG |
108 | |
109 | :Default: |
110 | :Variable: :ref:`auth_ldap_bind_dn <auth_ldap_bind_dn>` |
111 | |
112 | DN to use when binding to the LDAP server. |
113 | |
114 | + Until Drizzle 2011.11.29 (a Drizzle 7.1 beta release) this option was mistakenly |
115 | + called ``bind-db``. Starting with release 2011.12.30 that option will no longer |
116 | + work, the correct option is ``bind-dn``. (The corresponding variable was |
117 | + always ref:`auth_ldap_bind_dn <auth_ldap_bind_dn>` and is unchanged.) |
118 | + |
119 | + |
120 | .. option:: --auth-ldap.bind-password ARG |
121 | |
122 | :Default: |
123 | :Variable: :ref:`auth_ldap_bind_password <auth_ldap_bind_password>` |
124 | |
125 | - Password to use when binding the DN. |
126 | + Password to use when binding the DN, ie. your LDAP admin password. |
127 | |
128 | .. option:: --auth-ldap.cache-timeout ARG |
129 | |
130 | - :Default: ``0`` |
131 | + :Default: ``600`` |
132 | :Variable: :ref:`auth_ldap_cache_timeout <auth_ldap_cache_timeout>` |
133 | |
134 | - How often to empty the users cache, 0 to disable. |
135 | + How often to empty the users cache. The default is 10 minutes. |
136 | + |
137 | + A value of 0 means never: if a user has once connected to Drizzle, his |
138 | + credentials will then be cached until the next restart. Any changes to the |
139 | + LDAP directory, such as changing the password, would not be visible in |
140 | + drizzled as long as it wasn't restarted. |
141 | |
142 | .. option:: --auth-ldap.mysql-password-attribute ARG |
143 | |
144 | - :Default: ``mysqlUserPassword`` |
145 | + :Default: ``drizzleMysqlUserPassword`` |
146 | :Variable: :ref:`auth_ldap_mysql_password_attribute <auth_ldap_mysql_password_attribute>` |
147 | |
148 | Attribute in LDAP with MySQL hashed password. |
149 | |
150 | + Until Drizzle 2011.11.29 (a Drizzle 7.1 beta release) the default value of this |
151 | + option was ``mysqlUserPassword``. Beginning with release 2011.12.30 |
152 | + it was changed to ``drizzleMysqlUserPassword`` to match the provided |
153 | + openldap ldif schema. |
154 | + |
155 | .. option:: --auth-ldap.password-attribute ARG |
156 | |
157 | :Default: ``userPassword`` |
158 | @@ -111,7 +150,7 @@ |
159 | |
160 | :Scope: Global |
161 | :Dynamic: No |
162 | - :Option: :option:`--auth-ldap.bind-db` |
163 | + :Option: :option:`--auth-ldap.bind-dn` |
164 | |
165 | DN to use when binding to the LDAP server. |
166 | |
167 | @@ -125,6 +164,11 @@ |
168 | |
169 | Password to use when binding the DN. |
170 | |
171 | + Note: This variable existed until Drizzle 2011.11.29, in particular it was part |
172 | + of the Drizzle 7 stable release. For security reasons this variable has been |
173 | + removed in Drizzle release 2011.12.30, a Drizzle 7.1 beta release. There was |
174 | + no valid reason to expose your LDAP admin password to every Drizzle user. |
175 | + |
176 | .. _auth_ldap_cache_timeout: |
177 | |
178 | * ``auth_ldap_cache_timeout`` |
179 | @@ -170,21 +214,399 @@ |
180 | Examples |
181 | -------- |
182 | |
183 | -Sorry, there are no examples for this plugin. |
184 | +Setting up an LDAP directory |
185 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
186 | + |
187 | +Using and configuring an LDAP server is outside the scope of this manual, but |
188 | +for the purpose of showing some examples we need an LDAP server to connect to. |
189 | +Below are some minimal steps you need to do to have in place first. |
190 | + |
191 | +The following example was tried on Ubuntu Linux, version 11.04 natty. Some |
192 | +earlier versions of Ubuntu require more steps to configure your empty LDAP |
193 | +directory, see `this Ubuntu tutorial for more detailed |
194 | +instructions <http://https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html>`_ |
195 | +and similarly see tutorials for your own Linux distribution if those do not work |
196 | +for you. |
197 | + |
198 | +To install OpenLDAP: |
199 | + |
200 | +.. code-block:: bash |
201 | + |
202 | + sudo apt-get install slapd ldap-utils |
203 | + |
204 | +The installation asks you to provide an administrator password. In this example |
205 | +we've used `secret`. |
206 | + |
207 | +Copy the following text into a file backend.example.com.ldif [1]_: |
208 | + |
209 | +.. code-block:: none |
210 | + |
211 | + # Load dynamic backend modules |
212 | + dn: cn=module,cn=config |
213 | + objectClass: olcModuleList |
214 | + cn: module |
215 | + olcModulepath: /usr/lib/ldap |
216 | + olcModuleload: back_hdb.la |
217 | + |
218 | + # Database settings |
219 | + dn: olcDatabase=hdb,cn=config |
220 | + objectClass: olcDatabaseConfig |
221 | + objectClass: olcHdbConfig |
222 | + olcDatabase: {1}hdb |
223 | + olcSuffix: dc=example,dc=com |
224 | + olcDbDirectory: /var/lib/ldap |
225 | + olcRootDN: cn=admin,dc=example,dc=com |
226 | + olcRootPW: secret |
227 | + olcDbConfig: set_cachesize 0 2097152 0 |
228 | + olcDbConfig: set_lk_max_objects 1500 |
229 | + olcDbConfig: set_lk_max_locks 1500 |
230 | + olcDbConfig: set_lk_max_lockers 1500 |
231 | + olcDbIndex: objectClass eq |
232 | + olcLastMod: TRUE |
233 | + olcDbCheckpoint: 512 30 |
234 | + olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none |
235 | + olcAccess: to attrs=shadowLastChange by self write by * read |
236 | + olcAccess: to dn.base="" by * read |
237 | + olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read |
238 | + |
239 | +Copy the following text into a file frontend.example.com.ldif: |
240 | + |
241 | +.. code-block:: none |
242 | + |
243 | + # Create top-level object in domain |
244 | + dn: dc=example,dc=com |
245 | + objectClass: top |
246 | + objectClass: dcObject |
247 | + objectclass: organization |
248 | + o: Example Organization |
249 | + dc: Example |
250 | + description: LDAP Example |
251 | + |
252 | + # Admin user. |
253 | + dn: cn=admin,dc=example,dc=com |
254 | + objectClass: simpleSecurityObject |
255 | + objectClass: organizationalRole |
256 | + cn: admin |
257 | + description: LDAP administrator |
258 | + userPassword: secret |
259 | + |
260 | + dn: ou=people,dc=example,dc=com |
261 | + objectClass: organizationalUnit |
262 | + ou: people |
263 | + |
264 | + dn: ou=groups,dc=example,dc=com |
265 | + objectClass: organizationalUnit |
266 | + ou: groups |
267 | + |
268 | + dn: uid=john,ou=people,dc=example,dc=com |
269 | + objectClass: inetOrgPerson |
270 | + objectClass: posixAccount |
271 | + objectClass: shadowAccount |
272 | + uid: john |
273 | + sn: Doe |
274 | + givenName: John |
275 | + cn: John Doe |
276 | + displayName: John Doe |
277 | + uidNumber: 1000 |
278 | + gidNumber: 10000 |
279 | + userPassword: password |
280 | + gecos: John Doe |
281 | + loginShell: /bin/bash |
282 | + homeDirectory: /home/john |
283 | + shadowExpire: -1 |
284 | + shadowFlag: 0 |
285 | + shadowWarning: 7 |
286 | + shadowMin: 8 |
287 | + shadowMax: 999999 |
288 | + shadowLastChange: 10877 |
289 | + mail: john.doe@example.com |
290 | + postalCode: 31000 |
291 | + l: Toulouse |
292 | + o: Example |
293 | + mobile: +33 (0)6 xx xx xx xx |
294 | + homePhone: +33 (0)5 xx xx xx xx |
295 | + title: System Administrator |
296 | + postalAddress: |
297 | + initials: JD |
298 | + |
299 | + dn: cn=example,ou=groups,dc=example,dc=com |
300 | + objectClass: posixGroup |
301 | + cn: example |
302 | + gidNumber: 10000 |
303 | + |
304 | +Now we create our database and settings, along with the standard |
305 | +"inetOrgPerson" LDAP schema: |
306 | + |
307 | +.. code-block:: none |
308 | + |
309 | + $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif |
310 | + SASL/EXTERNAL authentication started |
311 | + SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
312 | + SASL SSF: 0 |
313 | + adding new entry "cn=module,cn=config" |
314 | + |
315 | + adding new entry "olcDatabase=hdb,cn=config" |
316 | + |
317 | + $ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif |
318 | + Enter LDAP Password: secret |
319 | + adding new entry "dc=example,dc=com" |
320 | + |
321 | + adding new entry "cn=admin,dc=example,dc=com" |
322 | + |
323 | + adding new entry "ou=people,dc=example,dc=com" |
324 | + |
325 | + adding new entry "ou=groups,dc=example,dc=com" |
326 | + |
327 | + adding new entry "uid=john,ou=people,dc=example,dc=com" |
328 | + |
329 | + adding new entry "cn=example,ou=groups,dc=example,dc=com" |
330 | + |
331 | +In the above we first created the database and defined a method to access it. |
332 | +As you see, in the second ldapadd command we now need to provide the admin |
333 | +password `secret` to do further changes, and will need to use it in all further |
334 | +commands too. |
335 | + |
336 | +The second command creates a classic `inetOrgPerson` schema, with a user |
337 | +"John Doe" (Common Name) who has a uid "john" and various other information |
338 | +commonly part of a UNIX system account. In fact the LDAP object type is called |
339 | +posixAccount! User john is part of the Organizational Unit "people" in the |
340 | +domain example.com. |
341 | + |
342 | +You can verify that everything is working so far by searching for John: |
343 | + |
344 | +.. code-block:: none |
345 | + |
346 | + $ ldapsearch -xLLL -b "ou=people,dc=example,dc=com" uid=john |
347 | + dn: uid=john,ou=people,dc=example,dc=com |
348 | + objectClass: inetOrgPerson |
349 | + objectClass: posixAccount |
350 | + objectClass: shadowAccount |
351 | + uid: john |
352 | + sn: Doe |
353 | + givenName: John |
354 | + cn: John Doe |
355 | + displayName: John Doe |
356 | + uidNumber: 1000 |
357 | + gidNumber: 10000 |
358 | + gecos: John Doe |
359 | + loginShell: /bin/bash |
360 | + homeDirectory: /home/john |
361 | + shadowExpire: -1 |
362 | + shadowFlag: 0 |
363 | + shadowWarning: 7 |
364 | + shadowMin: 8 |
365 | + shadowMax: 999999 |
366 | + shadowLastChange: 10877 |
367 | + mail: john.doe@example.com |
368 | + postalCode: 31000 |
369 | + l: Toulouse |
370 | + o: Example |
371 | + mobile: +33 (0)6 xx xx xx xx |
372 | + homePhone: +33 (0)5 xx xx xx xx |
373 | + title: System Administrator |
374 | + postalAddress: |
375 | + initials: JD |
376 | + |
377 | +If you look closely you see that the userPassword field is not shown. Don't |
378 | +worry! It is stored in the directory, it is just not shown in search results for |
379 | +security reasons. |
380 | + |
381 | +.. _auth_ldap_examples_add_user: |
382 | + |
383 | +Adding a Drizzle user to LDAP |
384 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
385 | + |
386 | +You could just setup Drizzle to authenticate against standard LDAP accounts like |
387 | +John Doe above. But the recommended way is to add a specific Drizzle schema. |
388 | +You will find this in ``$DRIZZLE_ROOT/share/drizzle7/drizzle_openldap.ldif``. |
389 | +You can add it to your LDAP schema like this: |
390 | + |
391 | +.. code-block:: none |
392 | + |
393 | + $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f share/drizzle7/drizzle_openldap.ldif |
394 | + SASL/EXTERNAL authentication started |
395 | + SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth |
396 | + SASL SSF: 0 |
397 | + adding new entry "cn=drizzle,cn=schema,cn=config" |
398 | + |
399 | +Now we can add a Drizzle user to our directory. At this point we will need to |
400 | +store the users Drizzle password. Note that Drizzle, just like MySQL, will |
401 | +prefer to store and use a doubly hashed version of the user password. Other |
402 | +Drizzle authentication plugins, like auth_schema, do the same. (But some plugins |
403 | +do not and Drizzle can use either, since it supports two different |
404 | +authentication protocols for this purpose). |
405 | + |
406 | +Drizzle 7.1 ships with a nice utility to calculate those hashes called |
407 | +``drizzle_password_hash``. You simply give it the password and it outputs |
408 | +the doubly hashed string: |
409 | + |
410 | +.. code-block:: none |
411 | + |
412 | + $ bin/drizzle_password_hash secret |
413 | + 14E65567ABDB5135D0CFD9A70B3032C179A49EE7 |
414 | + |
415 | +We will use this utility when creating the LDAP entry for our Drizzle user. |
416 | + |
417 | +Note that the above value is different from what the LDAP directory as the |
418 | +userPassword entry. The Unix or Posix way to store passwords is to just hash |
419 | +them once. You can have a look in your ``/etc/shadow`` file to see what they |
420 | +look like. Anyway, for this reason our Drizzle schema that we just added has |
421 | +an additional field ``drizzleUserPassword`` to store the Drizzle encoded form |
422 | +of the same password. (Or the passwords can also be different, but we will |
423 | +assume most people like to use the same password.) |
424 | + |
425 | +Since Drizzle 7.1 there is also a nice helper script included to create the ldif |
426 | +records you need to add new Drizzle users to your LDAP. Using this script is |
427 | +of course voluntary and you can use any LDAP manager tool you want. But we will |
428 | +use it for this tutorial. |
429 | + |
430 | +Let's create the user hingo: |
431 | + |
432 | +.. code-block:: none |
433 | + |
434 | + $ share/drizzle7/drizzle_create_ldap_user -p secret -b bin/drizzle_password_hash -u hingo -n 1 -l "ou=people,dc=example,dc=com" > hingo.example.com.ldif |
435 | + $ cat hingo.example.com.ldif |
436 | + dn: uid=hingo,ou=people,dc=example,dc=com |
437 | + objectclass: top |
438 | + objectclass: posixAccount |
439 | + objectclass: account |
440 | + objectclass: drizzleUser |
441 | + drizzleUserMysqlPassword: 14E65567ABDB5135D0CFD9A70B3032C179A49EE7 |
442 | + uidNumber: 500 |
443 | + gidNumber: 500 |
444 | + uid: hingo |
445 | + homeDirectory: /home/hingo |
446 | + loginshell: /sbin/nologin |
447 | + userPassword: secret |
448 | + cn: hingo |
449 | + |
450 | +If you want, you could use this as a template to further edit the entry. |
451 | +Drizzle will only care about the `drizzleUserMySQLPassword`, `uid` and sometimes |
452 | +(at your option) the `userPassword`. So you can freely edit the rest of the |
453 | +entries to suit you. For instance if this user will also be a user on your Linux |
454 | +system, make sure to set the loginshell to ``/bin/bash`` and check the uid and |
455 | +gid numbers. The ``cn`` field is often used to store the full name of the person, |
456 | +like "Henrik Ingo". (But this is not used by Drizzle.) |
457 | + |
458 | +We now add the above user to the directory: |
459 | + |
460 | +.. code-block:: none |
461 | + |
462 | + $ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f hingo.example.com.ldif |
463 | + Enter LDAP Password: |
464 | + adding new entry "uid=hingo,ou=people,dc=example,dc=com" |
465 | + |
466 | +.. _auth_ldap_examples_start_server: |
467 | + |
468 | +Starting Drizzle Server and binding to the LDAP server |
469 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
470 | + |
471 | +It is now time to start the Drizzle server with the needed options so that we |
472 | +can use the LDAP directory for authentication services: |
473 | + |
474 | +.. code-block:: none |
475 | + |
476 | + $ sbin/drizzled --plugin-remove=auth_all |
477 | + --plugin-add=auth_ldap |
478 | + --auth-ldap.bind-password=secret |
479 | + --auth-ldap.bind-dn="cn=admin,dc=example,dc=com" |
480 | + --auth-ldap.base-dn="ou=people,dc=example,dc=com" |
481 | + |
482 | +`(Give all options on one line.)` |
483 | + |
484 | +``bind-password`` and ``bind-dn`` are used by drizzled to bind to the LDAP |
485 | +server. ``base-dn`` is the DN where our Drizzle users are stored. |
486 | + |
487 | +.. _auth_ldap_examples_connect: |
488 | + |
489 | +Connecting to Drizzle with the client |
490 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
491 | + |
492 | +We can now use a username and password from the LDAP directory when connecting |
493 | +to Drizzle: |
494 | + |
495 | +.. code-block:: none |
496 | + |
497 | + $ bin/drizzle --user=hingo --password |
498 | + Enter password: |
499 | + Welcome to the Drizzle client.. Commands end with ; or \g. |
500 | + Your Drizzle connection id is 2 |
501 | + Connection protocol: mysql |
502 | + Server version: 2011.10.28.2459 Source distribution (drizzle-auth_ldap-fix-and-docs) |
503 | + |
504 | + Type 'help;' or '\h' for help. Type '\c' to clear the buffer. |
505 | + |
506 | + drizzle> |
507 | + |
508 | +.. _auth_ldap_examples_connect_clear_password: |
509 | + |
510 | +Using the userPassword system password with Drizzle |
511 | +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
512 | + |
513 | +It is also possible to use the password from the userPassword field when |
514 | +connecting with Drizzle. This could be beneficial or necessary to allow |
515 | +all users who already exist in the directory, but didn't have a |
516 | +drizzleUserPassword set for them, to connect to Drizzle. |
517 | + |
518 | +To do this, you have to give the extra option ``--protocol mysql-plugin-auth`` |
519 | +to the drizzle client. This will tell the drizzle client to send the password |
520 | +in cleartext to the server, using the MySQL old-password protocol. |
521 | + |
522 | +We could use this to connect to Drizzle with the username john, that |
523 | +we added in the beginning of this tutorial. |
524 | + |
525 | +.. code-block:: none |
526 | + |
527 | + $ drizzle --password --protocol mysql-plugin-auth --user=john |
528 | + Enter password: |
529 | + Welcome to the Drizzle client.. Commands end with ; or \g. |
530 | + Your Drizzle connection id is 2 |
531 | + Connection protocol: mysql-plugin-auth |
532 | + Server version: 2011.10.28.2459 Source distribution (drizzle-auth_ldap-fix-and-docs) |
533 | + |
534 | + Type 'help;' or '\h' for help. Type '\c' to clear the buffer. |
535 | + |
536 | + drizzle> |
537 | + |
538 | +.. note:: |
539 | + |
540 | + Using cleartext passwords is **not recommended**. Please note that |
541 | + the connection between drizzle client and drizzled server is completely |
542 | + unencrypted, so other people on your network could easily find out the |
543 | + password if this method is used. |
544 | + |
545 | + |
546 | +.. _auth_ldap_limitations: |
547 | + |
548 | +Limitations |
549 | +----------- |
550 | + |
551 | +The option ``LDAP_SCOPE_ONELEVEL`` option is used when searching the LDAP |
552 | +directory. This means you must specify the full base-dn. For instance, if |
553 | +you have users defined in the dn ``ou=people,dn=example,dn=com`` authentication |
554 | +will fail if you only specify ``dn=example,dn=com``. A consequence of this is |
555 | +that all your Drizzle users must belong to the same LDAP organizationalUnit. |
556 | + |
557 | +This is currently a fixed option and can only be changed by editing source code. |
558 | +However, there is no reason why it couldn't be a configurable option to also |
559 | +allow multi level searches. Please contact the Drizzle developers if you have |
560 | +such needs. (See :doc:`/help`) |
561 | + |
562 | |
563 | .. _auth_ldap_authors: |
564 | |
565 | Authors |
566 | ------- |
567 | |
568 | -Eric Day |
569 | +:Code: Eric Day, Edward "Koko" Konetzko, Henrik Ingo |
570 | +:Documentation: Henrik Ingo |
571 | |
572 | .. _auth_ldap_version: |
573 | |
574 | Version |
575 | ------- |
576 | |
577 | -This documentation applies to **auth_ldap 0.1**. |
578 | +This documentation applies to **auth_ldap 0.2**. |
579 | |
580 | To see which version of the plugin a Drizzle server is running, execute: |
581 | |
582 | @@ -195,6 +617,19 @@ |
583 | Changelog |
584 | --------- |
585 | |
586 | +v0.2 |
587 | +^^^^ |
588 | +* Add proper documentation. |
589 | +* Fix various bugs found while documenting, including: |
590 | +* drizzle_create_ldap_user would append a counter at the end of each username, such as hingo0. Now it's just the username. |
591 | +* LDAP directory is now searched for uid field, not cn. |
592 | +* Change default value of --auth-ldap.mysql-password-attribute to drizzleMysqlUserPassword. |
593 | +* --auth-ldap.bind-db was changed to --auth-ldap.bind-dn |
594 | +* Variable auth_ldap_bind_password is no longer shown in SHOW VARIABLES. |
595 | + |
596 | + |
597 | v0.1 |
598 | ^^^^ |
599 | * First release. |
600 | + |
601 | +.. [1] Configuration scripts courtesy of `Ubuntu OpenLDAP server tutorial <https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html>`_ |
602 | \ No newline at end of file |
603 | |
604 | === modified file 'plugin/auth_ldap/plugin.ini' |
605 | --- plugin/auth_ldap/plugin.ini 2011-10-04 20:01:12 +0000 |
606 | +++ plugin/auth_ldap/plugin.ini 2011-12-08 13:36:42 +0000 |
607 | @@ -1,8 +1,8 @@ |
608 | [plugin] |
609 | title=LDAP Authentication |
610 | description=Authenticate against an LDAP server. |
611 | -version=0.1 |
612 | -author=Eric Day <eday@oddments.org> |
613 | +version=0.2 |
614 | +author=Eric Day <eday@oddments.org>, Edward Koko Konetzko <konetzed@quixoticagony.com>, Henrik Ingo <henrik.ingo@avoinelama.fi> |
615 | license=PLUGIN_LICENSE_GPL |
616 | build_conditional="x${ac_cv_libldap}" = "xyes" |
617 | ldflags=${LTLIBLDAP} |
618 | |
619 | === modified file 'plugin/auth_ldap/schema/drizzle_create_ldap_user' |
620 | --- plugin/auth_ldap/schema/drizzle_create_ldap_user 2011-10-04 20:01:12 +0000 |
621 | +++ plugin/auth_ldap/schema/drizzle_create_ldap_user 2011-12-08 13:36:42 +0000 |
622 | @@ -64,7 +64,7 @@ |
623 | tmpcount=0 |
624 | while [ $tmpcount -lt $numberofusers ] |
625 | do |
626 | - tmpusername=$username$tmpcount |
627 | + tmpusername=$username |
628 | tmpuidnumber=$(( 500 + $tmpcount )) |
629 | tmpgidnumber=$(( 500 + $tmpcount )) |
630 | echo "dn: uid=$tmpusername,$ldapbase" |
looks good - especially like the expanded documentation.