Merge lp:~hingo/drizzle/drizzle-auth_ldap-fix-and-docs into lp:~drizzle-trunk/drizzle/development

Proposed by Henrik Ingo on 2011-11-30
Status: Merged
Approved by: Mark Atwood on 2011-11-30
Approved revision: 2463
Merged at revision: 2469
Proposed branch: lp:~hingo/drizzle/drizzle-auth_ldap-fix-and-docs
Merge into: lp:~drizzle-trunk/drizzle/development
Diff against target: 630 lines (+466/-18)
4 files modified
plugin/auth_ldap/auth_ldap.cc (+18/-5)
plugin/auth_ldap/docs/index.rst (+445/-10)
plugin/auth_ldap/plugin.ini (+2/-2)
plugin/auth_ldap/schema/drizzle_create_ldap_user (+1/-1)
To merge this branch: bzr merge lp:~hingo/drizzle/drizzle-auth_ldap-fix-and-docs
Reviewer Review Type Date Requested Status
Henrik Ingo Resubmit on 2011-12-08
Mark Atwood Needs Fixing on 2011-12-07
Stewart Smith (community) Approve on 2011-12-01
Drizzle Merge Team 2011-11-30 Pending
Review via email: mp+84020@code.launchpad.net

Description of the change

The intent was to document how to use auth_ldap. The documentation should now be extensive.

I also fixed like 5 bugs. Details in each commit message.

To post a comment you must log in.
Stewart Smith (stewart) wrote :

looks good - especially like the expanded documentation.

review: Approve
Mark Atwood (fallenpegasus) wrote :

Please fix and resubmit.

http://jenkins.drizzle.org/view/Drizzle-build/job/drizzle-build-ubuntu10.04-32bit/1504/console

../plugin/auth_ldap/auth_ldap.cc:454:1: error: macro "QUOTE_ARG" passed 2 arguments, but takes just 1
../plugin/auth_ldap/auth_ldap.cc:454: error: 'QUOTE_ARG' was not declared in this scope
../plugin/auth_ldap/auth_ldap.cc:454: error: too many initializers for 'drizzled::module::Manifest'
make[3]: *** [plugin/auth_ldap/plugin_libauth_ldap_plugin_la-auth_ldap.lo] Error 1

review: Needs Fixing
2464. By Henrik Ingo on 2011-12-08

Fix old DRIZZLE_PLUGIN macro and plugin.ini that both were giving
build errors.

Henrik Ingo (hingo) wrote :

Ah, I thought that went away. Ok, so I shouldn't put quotes in plugin.ini and then I also switched to newer DRIZZLE_DECLARE_PLUGIN. Now it should work. (Pushed one more commit.)

review: Resubmit

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'plugin/auth_ldap/auth_ldap.cc'
2--- plugin/auth_ldap/auth_ldap.cc 2011-02-17 00:14:13 +0000
3+++ plugin/auth_ldap/auth_ldap.cc 2011-12-08 13:36:42 +0000
4@@ -51,7 +51,7 @@
5 std::string password_attribute;
6 std::string DEFAULT_PASSWORD_ATTRIBUTE= "userPassword";
7 std::string mysql_password_attribute;
8-const std::string DEFAULT_MYSQL_PASSWORD_ATTRIBUTE= "mysqlUserPassword";
9+const std::string DEFAULT_MYSQL_PASSWORD_ATTRIBUTE= "drizzleMysqlUserPassword";
10 static const int DEFAULT_CACHE_TIMEOUT= 600;
11 typedef constrained_check<int, DEFAULT_CACHE_TIMEOUT, 0, 2147483647> cachetimeout_constraint;
12 static cachetimeout_constraint cache_timeout= 0;
13@@ -272,7 +272,7 @@
14
15 void AuthLDAP::lookupUser(const string& user)
16 {
17- string filter("(cn=" + user + ")");
18+ string filter("(uid=" + user + ")");
19 const char *attributes[3]=
20 {
21 (char *)password_attribute.c_str(),
22@@ -421,7 +421,7 @@
23
24 context.registerVariable(new sys_var_const_string_val("uri", uri));
25 context.registerVariable(new sys_var_const_string_val("bind-dn", bind_dn));
26- context.registerVariable(new sys_var_const_string_val("bind-password", bind_password));
27+ //context.registerVariable(new sys_var_const_string_val("bind-password", bind_password));
28 context.registerVariable(new sys_var_const_string_val("base-dn", base_dn));
29 context.registerVariable(new sys_var_const_string_val("password-attribute",password_attribute));
30 context.registerVariable(new sys_var_const_string_val("mysql-password-attribute", mysql_password_attribute));
31@@ -435,7 +435,7 @@
32 {
33 context("uri", po::value<string>(&uri)->default_value(DEFAULT_URI),
34 N_("URI of the LDAP server to contact"));
35- context("bind-db", po::value<string>(&bind_dn)->default_value(""),
36+ context("bind-dn", po::value<string>(&bind_dn)->default_value(""),
37 N_("DN to use when binding to the LDAP server"));
38 context("bind-password", po::value<string>(&bind_password)->default_value(""),
39 N_("Password to use when binding the DN"));
40@@ -451,4 +451,17 @@
41
42 } /* namespace auth_ldap */
43
44-DRIZZLE_PLUGIN(auth_ldap::init, NULL, auth_ldap::init_options);
45+DRIZZLE_DECLARE_PLUGIN
46+{
47+ DRIZZLE_VERSION_ID,
48+ "auth_ldap",
49+ "0.2",
50+ "Eric Day, Henrik Ingo, Edward Konetzko",
51+ "LDAP based authenication.",
52+ PLUGIN_LICENSE_GPL,
53+ auth_ldap::init, /* Plugin Init */
54+ NULL, /* depends */
55+ auth_ldap::init_options /* config options */
56+}
57+DRIZZLE_DECLARE_PLUGIN_END;
58+
59
60=== modified file 'plugin/auth_ldap/docs/index.rst'
61--- plugin/auth_ldap/docs/index.rst 2011-11-06 00:00:03 +0000
62+++ plugin/auth_ldap/docs/index.rst 2011-12-08 13:36:42 +0000
63@@ -7,6 +7,18 @@
64 using an :abbr:`LDAP (Lightweight Directory Access Protocol)` server. An
65 LDAP server is required to provide authentication.
66
67+Note that a typical use case for using LDAP based authentication, and the
68+intention with this module, is to be able to consolidate your Drizzle usernames
69+and passwords in cases where you are already using LDAP in your organization
70+(such as for Linux or Windows or other system passwords).
71+
72+If you are not currently using LDAP for any kind of authentication, you should
73+be aware that this is not the simplest authentication method available. For other
74+alternatives for managing Drizzle users and passwords, see
75+:doc:`/administration/authentication`. A simple authentication module, whose
76+behavior will be familiar to those familiar with MySQL and its method for
77+storing usernames and passwords, is the :doc:`/plugins/auth_schema/index` plugin.
78+
79 .. note::
80
81 Unload the :doc:`/plugins/auth_all/index` plugin before using this plugin.
82@@ -22,7 +34,12 @@
83
84 --plugin-add=auth_ldap
85
86-Loading the plugin may not enable or configure it. See the plugin's
87+Or, to disable the ability to login without a password, use::
88+
89+ --plugin-add=auth_pam --plugin-remove=auth_all
90+
91+Just loading this plugin will not enable or configure it. To actually bind to an
92+LDAP directory you also need to configure it. See the plugin's
93 :ref:`auth_ldap_configuration` and :ref:`auth_ldap_variables`.
94
95 .. seealso:: :ref:`drizzled_plugin_options` for more information about adding and removing plugins.
96@@ -45,34 +62,56 @@
97
98 DN to use when searching.
99
100-.. option:: --auth-ldap.bind-db ARG
101+ Drizzle uses the ``LDAP_SCOPE_ONELEVEL`` option when searching the LDAP
102+ directory. This means you must specify the full base-dn. For instance, if
103+ you have users defined in the dn ``ou=people,dn=example,dn=com`` authentication
104+ will fail if you only specify ``dn=example,dn=com``. (See
105+ :ref:`auth_ldap_limitations`)
106+
107+.. option:: --auth-ldap.bind-dn ARG
108
109 :Default:
110 :Variable: :ref:`auth_ldap_bind_dn <auth_ldap_bind_dn>`
111
112 DN to use when binding to the LDAP server.
113
114+ Until Drizzle 2011.11.29 (a Drizzle 7.1 beta release) this option was mistakenly
115+ called ``bind-db``. Starting with release 2011.12.30 that option will no longer
116+ work, the correct option is ``bind-dn``. (The corresponding variable was
117+ always ref:`auth_ldap_bind_dn <auth_ldap_bind_dn>` and is unchanged.)
118+
119+
120 .. option:: --auth-ldap.bind-password ARG
121
122 :Default:
123 :Variable: :ref:`auth_ldap_bind_password <auth_ldap_bind_password>`
124
125- Password to use when binding the DN.
126+ Password to use when binding the DN, ie. your LDAP admin password.
127
128 .. option:: --auth-ldap.cache-timeout ARG
129
130- :Default: ``0``
131+ :Default: ``600``
132 :Variable: :ref:`auth_ldap_cache_timeout <auth_ldap_cache_timeout>`
133
134- How often to empty the users cache, 0 to disable.
135+ How often to empty the users cache. The default is 10 minutes.
136+
137+ A value of 0 means never: if a user has once connected to Drizzle, his
138+ credentials will then be cached until the next restart. Any changes to the
139+ LDAP directory, such as changing the password, would not be visible in
140+ drizzled as long as it wasn't restarted.
141
142 .. option:: --auth-ldap.mysql-password-attribute ARG
143
144- :Default: ``mysqlUserPassword``
145+ :Default: ``drizzleMysqlUserPassword``
146 :Variable: :ref:`auth_ldap_mysql_password_attribute <auth_ldap_mysql_password_attribute>`
147
148 Attribute in LDAP with MySQL hashed password.
149
150+ Until Drizzle 2011.11.29 (a Drizzle 7.1 beta release) the default value of this
151+ option was ``mysqlUserPassword``. Beginning with release 2011.12.30
152+ it was changed to ``drizzleMysqlUserPassword`` to match the provided
153+ openldap ldif schema.
154+
155 .. option:: --auth-ldap.password-attribute ARG
156
157 :Default: ``userPassword``
158@@ -111,7 +150,7 @@
159
160 :Scope: Global
161 :Dynamic: No
162- :Option: :option:`--auth-ldap.bind-db`
163+ :Option: :option:`--auth-ldap.bind-dn`
164
165 DN to use when binding to the LDAP server.
166
167@@ -125,6 +164,11 @@
168
169 Password to use when binding the DN.
170
171+ Note: This variable existed until Drizzle 2011.11.29, in particular it was part
172+ of the Drizzle 7 stable release. For security reasons this variable has been
173+ removed in Drizzle release 2011.12.30, a Drizzle 7.1 beta release. There was
174+ no valid reason to expose your LDAP admin password to every Drizzle user.
175+
176 .. _auth_ldap_cache_timeout:
177
178 * ``auth_ldap_cache_timeout``
179@@ -170,21 +214,399 @@
180 Examples
181 --------
182
183-Sorry, there are no examples for this plugin.
184+Setting up an LDAP directory
185+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
186+
187+Using and configuring an LDAP server is outside the scope of this manual, but
188+for the purpose of showing some examples we need an LDAP server to connect to.
189+Below are some minimal steps you need to do to have in place first.
190+
191+The following example was tried on Ubuntu Linux, version 11.04 natty. Some
192+earlier versions of Ubuntu require more steps to configure your empty LDAP
193+directory, see `this Ubuntu tutorial for more detailed
194+instructions <http://https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html>`_
195+and similarly see tutorials for your own Linux distribution if those do not work
196+for you.
197+
198+To install OpenLDAP:
199+
200+.. code-block:: bash
201+
202+ sudo apt-get install slapd ldap-utils
203+
204+The installation asks you to provide an administrator password. In this example
205+we've used `secret`.
206+
207+Copy the following text into a file backend.example.com.ldif [1]_:
208+
209+.. code-block:: none
210+
211+ # Load dynamic backend modules
212+ dn: cn=module,cn=config
213+ objectClass: olcModuleList
214+ cn: module
215+ olcModulepath: /usr/lib/ldap
216+ olcModuleload: back_hdb.la
217+
218+ # Database settings
219+ dn: olcDatabase=hdb,cn=config
220+ objectClass: olcDatabaseConfig
221+ objectClass: olcHdbConfig
222+ olcDatabase: {1}hdb
223+ olcSuffix: dc=example,dc=com
224+ olcDbDirectory: /var/lib/ldap
225+ olcRootDN: cn=admin,dc=example,dc=com
226+ olcRootPW: secret
227+ olcDbConfig: set_cachesize 0 2097152 0
228+ olcDbConfig: set_lk_max_objects 1500
229+ olcDbConfig: set_lk_max_locks 1500
230+ olcDbConfig: set_lk_max_lockers 1500
231+ olcDbIndex: objectClass eq
232+ olcLastMod: TRUE
233+ olcDbCheckpoint: 512 30
234+ olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
235+ olcAccess: to attrs=shadowLastChange by self write by * read
236+ olcAccess: to dn.base="" by * read
237+ olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
238+
239+Copy the following text into a file frontend.example.com.ldif:
240+
241+.. code-block:: none
242+
243+ # Create top-level object in domain
244+ dn: dc=example,dc=com
245+ objectClass: top
246+ objectClass: dcObject
247+ objectclass: organization
248+ o: Example Organization
249+ dc: Example
250+ description: LDAP Example
251+
252+ # Admin user.
253+ dn: cn=admin,dc=example,dc=com
254+ objectClass: simpleSecurityObject
255+ objectClass: organizationalRole
256+ cn: admin
257+ description: LDAP administrator
258+ userPassword: secret
259+
260+ dn: ou=people,dc=example,dc=com
261+ objectClass: organizationalUnit
262+ ou: people
263+
264+ dn: ou=groups,dc=example,dc=com
265+ objectClass: organizationalUnit
266+ ou: groups
267+
268+ dn: uid=john,ou=people,dc=example,dc=com
269+ objectClass: inetOrgPerson
270+ objectClass: posixAccount
271+ objectClass: shadowAccount
272+ uid: john
273+ sn: Doe
274+ givenName: John
275+ cn: John Doe
276+ displayName: John Doe
277+ uidNumber: 1000
278+ gidNumber: 10000
279+ userPassword: password
280+ gecos: John Doe
281+ loginShell: /bin/bash
282+ homeDirectory: /home/john
283+ shadowExpire: -1
284+ shadowFlag: 0
285+ shadowWarning: 7
286+ shadowMin: 8
287+ shadowMax: 999999
288+ shadowLastChange: 10877
289+ mail: john.doe@example.com
290+ postalCode: 31000
291+ l: Toulouse
292+ o: Example
293+ mobile: +33 (0)6 xx xx xx xx
294+ homePhone: +33 (0)5 xx xx xx xx
295+ title: System Administrator
296+ postalAddress:
297+ initials: JD
298+
299+ dn: cn=example,ou=groups,dc=example,dc=com
300+ objectClass: posixGroup
301+ cn: example
302+ gidNumber: 10000
303+
304+Now we create our database and settings, along with the standard
305+"inetOrgPerson" LDAP schema:
306+
307+.. code-block:: none
308+
309+ $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
310+ SASL/EXTERNAL authentication started
311+ SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
312+ SASL SSF: 0
313+ adding new entry "cn=module,cn=config"
314+
315+ adding new entry "olcDatabase=hdb,cn=config"
316+
317+ $ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif
318+ Enter LDAP Password: secret
319+ adding new entry "dc=example,dc=com"
320+
321+ adding new entry "cn=admin,dc=example,dc=com"
322+
323+ adding new entry "ou=people,dc=example,dc=com"
324+
325+ adding new entry "ou=groups,dc=example,dc=com"
326+
327+ adding new entry "uid=john,ou=people,dc=example,dc=com"
328+
329+ adding new entry "cn=example,ou=groups,dc=example,dc=com"
330+
331+In the above we first created the database and defined a method to access it.
332+As you see, in the second ldapadd command we now need to provide the admin
333+password `secret` to do further changes, and will need to use it in all further
334+commands too.
335+
336+The second command creates a classic `inetOrgPerson` schema, with a user
337+"John Doe" (Common Name) who has a uid "john" and various other information
338+commonly part of a UNIX system account. In fact the LDAP object type is called
339+posixAccount! User john is part of the Organizational Unit "people" in the
340+domain example.com.
341+
342+You can verify that everything is working so far by searching for John:
343+
344+.. code-block:: none
345+
346+ $ ldapsearch -xLLL -b "ou=people,dc=example,dc=com" uid=john
347+ dn: uid=john,ou=people,dc=example,dc=com
348+ objectClass: inetOrgPerson
349+ objectClass: posixAccount
350+ objectClass: shadowAccount
351+ uid: john
352+ sn: Doe
353+ givenName: John
354+ cn: John Doe
355+ displayName: John Doe
356+ uidNumber: 1000
357+ gidNumber: 10000
358+ gecos: John Doe
359+ loginShell: /bin/bash
360+ homeDirectory: /home/john
361+ shadowExpire: -1
362+ shadowFlag: 0
363+ shadowWarning: 7
364+ shadowMin: 8
365+ shadowMax: 999999
366+ shadowLastChange: 10877
367+ mail: john.doe@example.com
368+ postalCode: 31000
369+ l: Toulouse
370+ o: Example
371+ mobile: +33 (0)6 xx xx xx xx
372+ homePhone: +33 (0)5 xx xx xx xx
373+ title: System Administrator
374+ postalAddress:
375+ initials: JD
376+
377+If you look closely you see that the userPassword field is not shown. Don't
378+worry! It is stored in the directory, it is just not shown in search results for
379+security reasons.
380+
381+.. _auth_ldap_examples_add_user:
382+
383+Adding a Drizzle user to LDAP
384+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
385+
386+You could just setup Drizzle to authenticate against standard LDAP accounts like
387+John Doe above. But the recommended way is to add a specific Drizzle schema.
388+You will find this in ``$DRIZZLE_ROOT/share/drizzle7/drizzle_openldap.ldif``.
389+You can add it to your LDAP schema like this:
390+
391+.. code-block:: none
392+
393+ $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f share/drizzle7/drizzle_openldap.ldif
394+ SASL/EXTERNAL authentication started
395+ SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
396+ SASL SSF: 0
397+ adding new entry "cn=drizzle,cn=schema,cn=config"
398+
399+Now we can add a Drizzle user to our directory. At this point we will need to
400+store the users Drizzle password. Note that Drizzle, just like MySQL, will
401+prefer to store and use a doubly hashed version of the user password. Other
402+Drizzle authentication plugins, like auth_schema, do the same. (But some plugins
403+do not and Drizzle can use either, since it supports two different
404+authentication protocols for this purpose).
405+
406+Drizzle 7.1 ships with a nice utility to calculate those hashes called
407+``drizzle_password_hash``. You simply give it the password and it outputs
408+the doubly hashed string:
409+
410+.. code-block:: none
411+
412+ $ bin/drizzle_password_hash secret
413+ 14E65567ABDB5135D0CFD9A70B3032C179A49EE7
414+
415+We will use this utility when creating the LDAP entry for our Drizzle user.
416+
417+Note that the above value is different from what the LDAP directory as the
418+userPassword entry. The Unix or Posix way to store passwords is to just hash
419+them once. You can have a look in your ``/etc/shadow`` file to see what they
420+look like. Anyway, for this reason our Drizzle schema that we just added has
421+an additional field ``drizzleUserPassword`` to store the Drizzle encoded form
422+of the same password. (Or the passwords can also be different, but we will
423+assume most people like to use the same password.)
424+
425+Since Drizzle 7.1 there is also a nice helper script included to create the ldif
426+records you need to add new Drizzle users to your LDAP. Using this script is
427+of course voluntary and you can use any LDAP manager tool you want. But we will
428+use it for this tutorial.
429+
430+Let's create the user hingo:
431+
432+.. code-block:: none
433+
434+ $ share/drizzle7/drizzle_create_ldap_user -p secret -b bin/drizzle_password_hash -u hingo -n 1 -l "ou=people,dc=example,dc=com" > hingo.example.com.ldif
435+ $ cat hingo.example.com.ldif
436+ dn: uid=hingo,ou=people,dc=example,dc=com
437+ objectclass: top
438+ objectclass: posixAccount
439+ objectclass: account
440+ objectclass: drizzleUser
441+ drizzleUserMysqlPassword: 14E65567ABDB5135D0CFD9A70B3032C179A49EE7
442+ uidNumber: 500
443+ gidNumber: 500
444+ uid: hingo
445+ homeDirectory: /home/hingo
446+ loginshell: /sbin/nologin
447+ userPassword: secret
448+ cn: hingo
449+
450+If you want, you could use this as a template to further edit the entry.
451+Drizzle will only care about the `drizzleUserMySQLPassword`, `uid` and sometimes
452+(at your option) the `userPassword`. So you can freely edit the rest of the
453+entries to suit you. For instance if this user will also be a user on your Linux
454+system, make sure to set the loginshell to ``/bin/bash`` and check the uid and
455+gid numbers. The ``cn`` field is often used to store the full name of the person,
456+like "Henrik Ingo". (But this is not used by Drizzle.)
457+
458+We now add the above user to the directory:
459+
460+.. code-block:: none
461+
462+ $ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f hingo.example.com.ldif
463+ Enter LDAP Password:
464+ adding new entry "uid=hingo,ou=people,dc=example,dc=com"
465+
466+.. _auth_ldap_examples_start_server:
467+
468+Starting Drizzle Server and binding to the LDAP server
469+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
470+
471+It is now time to start the Drizzle server with the needed options so that we
472+can use the LDAP directory for authentication services:
473+
474+.. code-block:: none
475+
476+ $ sbin/drizzled --plugin-remove=auth_all
477+ --plugin-add=auth_ldap
478+ --auth-ldap.bind-password=secret
479+ --auth-ldap.bind-dn="cn=admin,dc=example,dc=com"
480+ --auth-ldap.base-dn="ou=people,dc=example,dc=com"
481+
482+`(Give all options on one line.)`
483+
484+``bind-password`` and ``bind-dn`` are used by drizzled to bind to the LDAP
485+server. ``base-dn`` is the DN where our Drizzle users are stored.
486+
487+.. _auth_ldap_examples_connect:
488+
489+Connecting to Drizzle with the client
490+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
491+
492+We can now use a username and password from the LDAP directory when connecting
493+to Drizzle:
494+
495+.. code-block:: none
496+
497+ $ bin/drizzle --user=hingo --password
498+ Enter password:
499+ Welcome to the Drizzle client.. Commands end with ; or \g.
500+ Your Drizzle connection id is 2
501+ Connection protocol: mysql
502+ Server version: 2011.10.28.2459 Source distribution (drizzle-auth_ldap-fix-and-docs)
503+
504+ Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
505+
506+ drizzle>
507+
508+.. _auth_ldap_examples_connect_clear_password:
509+
510+Using the userPassword system password with Drizzle
511+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
512+
513+It is also possible to use the password from the userPassword field when
514+connecting with Drizzle. This could be beneficial or necessary to allow
515+all users who already exist in the directory, but didn't have a
516+drizzleUserPassword set for them, to connect to Drizzle.
517+
518+To do this, you have to give the extra option ``--protocol mysql-plugin-auth``
519+to the drizzle client. This will tell the drizzle client to send the password
520+in cleartext to the server, using the MySQL old-password protocol.
521+
522+We could use this to connect to Drizzle with the username john, that
523+we added in the beginning of this tutorial.
524+
525+.. code-block:: none
526+
527+ $ drizzle --password --protocol mysql-plugin-auth --user=john
528+ Enter password:
529+ Welcome to the Drizzle client.. Commands end with ; or \g.
530+ Your Drizzle connection id is 2
531+ Connection protocol: mysql-plugin-auth
532+ Server version: 2011.10.28.2459 Source distribution (drizzle-auth_ldap-fix-and-docs)
533+
534+ Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
535+
536+ drizzle>
537+
538+.. note::
539+
540+ Using cleartext passwords is **not recommended**. Please note that
541+ the connection between drizzle client and drizzled server is completely
542+ unencrypted, so other people on your network could easily find out the
543+ password if this method is used.
544+
545+
546+.. _auth_ldap_limitations:
547+
548+Limitations
549+-----------
550+
551+The option ``LDAP_SCOPE_ONELEVEL`` option is used when searching the LDAP
552+directory. This means you must specify the full base-dn. For instance, if
553+you have users defined in the dn ``ou=people,dn=example,dn=com`` authentication
554+will fail if you only specify ``dn=example,dn=com``. A consequence of this is
555+that all your Drizzle users must belong to the same LDAP organizationalUnit.
556+
557+This is currently a fixed option and can only be changed by editing source code.
558+However, there is no reason why it couldn't be a configurable option to also
559+allow multi level searches. Please contact the Drizzle developers if you have
560+such needs. (See :doc:`/help`)
561+
562
563 .. _auth_ldap_authors:
564
565 Authors
566 -------
567
568-Eric Day
569+:Code: Eric Day, Edward "Koko" Konetzko, Henrik Ingo
570+:Documentation: Henrik Ingo
571
572 .. _auth_ldap_version:
573
574 Version
575 -------
576
577-This documentation applies to **auth_ldap 0.1**.
578+This documentation applies to **auth_ldap 0.2**.
579
580 To see which version of the plugin a Drizzle server is running, execute:
581
582@@ -195,6 +617,19 @@
583 Changelog
584 ---------
585
586+v0.2
587+^^^^
588+* Add proper documentation.
589+* Fix various bugs found while documenting, including:
590+* drizzle_create_ldap_user would append a counter at the end of each username, such as hingo0. Now it's just the username.
591+* LDAP directory is now searched for uid field, not cn.
592+* Change default value of --auth-ldap.mysql-password-attribute to drizzleMysqlUserPassword.
593+* --auth-ldap.bind-db was changed to --auth-ldap.bind-dn
594+* Variable auth_ldap_bind_password is no longer shown in SHOW VARIABLES.
595+
596+
597 v0.1
598 ^^^^
599 * First release.
600+
601+.. [1] Configuration scripts courtesy of `Ubuntu OpenLDAP server tutorial <https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html>`_
602\ No newline at end of file
603
604=== modified file 'plugin/auth_ldap/plugin.ini'
605--- plugin/auth_ldap/plugin.ini 2011-10-04 20:01:12 +0000
606+++ plugin/auth_ldap/plugin.ini 2011-12-08 13:36:42 +0000
607@@ -1,8 +1,8 @@
608 [plugin]
609 title=LDAP Authentication
610 description=Authenticate against an LDAP server.
611-version=0.1
612-author=Eric Day <eday@oddments.org>
613+version=0.2
614+author=Eric Day <eday@oddments.org>, Edward Koko Konetzko <konetzed@quixoticagony.com>, Henrik Ingo <henrik.ingo@avoinelama.fi>
615 license=PLUGIN_LICENSE_GPL
616 build_conditional="x${ac_cv_libldap}" = "xyes"
617 ldflags=${LTLIBLDAP}
618
619=== modified file 'plugin/auth_ldap/schema/drizzle_create_ldap_user'
620--- plugin/auth_ldap/schema/drizzle_create_ldap_user 2011-10-04 20:01:12 +0000
621+++ plugin/auth_ldap/schema/drizzle_create_ldap_user 2011-12-08 13:36:42 +0000
622@@ -64,7 +64,7 @@
623 tmpcount=0
624 while [ $tmpcount -lt $numberofusers ]
625 do
626- tmpusername=$username$tmpcount
627+ tmpusername=$username
628 tmpuidnumber=$(( 500 + $tmpcount ))
629 tmpgidnumber=$(( 500 + $tmpcount ))
630 echo "dn: uid=$tmpusername,$ldapbase"