主題: 有關MYSQL認証透過LDAP的問題

[Robetar]

請教一下各位學長有使用過mysql-auth_ldap這個套件嗎?
載點是http://sourceforge.net/projects/mysqlauthldap/
裡頭有教學及如何設置，但我按照它上面所寫的去設定之後一直卡在
info: ldap_auth_server: ldap_sasl_bind_s returned: Invalid credentials
不知道有沒有其他學長有沒有使用過，分享一下心得，我已經有向google大神請教過了，但似乎這類的文章很少，
希望有使用過的學長教導一下小弟
我的config.h設定為下：

代碼: [選擇]

#include "options.h"

#define AUTH_LDAP_URI               "ldap://192.168.3.xxx:389/"
#define AUTH_LDAP_BASE_DN           "dc=my-ldap,dc=com"
#define AUTH_LDAP_OPENLDAP_SO       "/usr/lib/libldap.so"

// if AUTH_LDAP_SOCKET is set to 1 users are going to be authenticated
// only if connections to the MySQL server are performed over a UNIX
// domain socket. See also AUTH_LDAP_LOCAL
#define AUTH_LDAP_SOCKET            1
// if both AUTH_LDAP_SOCKET and AUTH_LDAP_LOCAL are set to 1 users are
// going to be authenticated only if connections to the MySQL server are
// performed over a UNIX domain socket, or from localhost.
#define AUTH_LDAP_LOCAL             1

// Use a staticly defined pattern for user DNs. This saves us from
// connecting to the server twice.
//
// macro expansions:
// %u the supplied username
// %i the user part, if the username is in the form of user@domain.tld
// %d the domain part, if the username is in the form of user@domain.tld
// %b the base domain
//
#define AUTH_LDAP_DN_PATTERN        "uid=%u,ou=People,%b"

//
// Error logging level.
//
// Posible values:
//      AUTH_LDAP_ERROR,
//      AUTH_LDAP_INFO,
//      AUTH_LDAP_DEBUG,
//      AUTH_LDAP_DEVEL
//
//+====================================================================+
//|                            !Caution!                               |
//+====================================================================+
//
// Error loging should never be set to development when compiling the
// plugin for deployment in a production system. Having the macro set to
// development will leed in sensitive authentication credentials being
// logged in plain text. Any user having access to system logs will be
// able to read user passwords!
//
#define AUTH_LDAP_ERROR_LEVEL       AUTH_LDAP_INFO


/*
 *
 * Configuration macros after this point, are reserved for future use,
 * and have not been implemented yet. Setting any value to these macros
 * will have not affect on plugin functionality.
 *
 */

// Search for the users DN before attempting to bind for authentication.
#define AUTH_LDAP_SEARCH_DN         0
// The search filter
#define AUTH_LDAP_SEARCH_DN_FILTER  "(&(uid=%u)(objectClass=shadowPassword))"
// Search levels. possible values base,one,subtree
#define AUTH_LDAP_LEVEL             "base"
// Bind anonymously to perform search for the user's DN
#define AUTH_LDAP_BIND_ANONYMOUSLY  1
// If we will not bind anonymously set the corresponding DN and password.
#define AUTH_LDAP_BIND_DN           ""
#define AUTH_LDAP_BIND_PASSWD       ""

[twu2]

那是 ldap 那邊的錯誤. 先確定你用 ldap_search 可以用你使用的帳號密碼去讀到你要的資料吧.
看上頭的定義.... 是用 anonymous 去讀, 或許你的 ldap server 的 ACLs 不允許吧 (一般應該也不會允許 anonymous 去做驗證的事吧).

[Robetar]

我已經解決了,感謝twu2學長的回答,問題並不是出在那裡,是我貼的config檔設定的問題,
我將它修改之後就可以用了,不過還是感謝您耐心回答
解出來的感覺真好
把我解決後的CONFIG也一並分享出來,希望有其他學員要用時，不會跟我一樣遇到這類的問題了

代碼: [選擇]

#include "options.h"

#define AUTH_LDAP_URI               "ldap://192.168.3.xxx:389/"
#define AUTH_LDAP_BASE_DN           "dc=my-ldap,dc=com"
#define AUTH_LDAP_OPENLDAP_SO       "/usr/lib/libldap.so"

// if AUTH_LDAP_SOCKET is set to 1 users are going to be authenticated
// only if connections to the MySQL server are performed over a UNIX
// domain socket. See also AUTH_LDAP_LOCAL
#define AUTH_LDAP_SOCKET            1
// if both AUTH_LDAP_SOCKET and AUTH_LDAP_LOCAL are set to 1 users are
// going to be authenticated only if connections to the MySQL server are
// performed over a UNIX domain socket, or from localhost.
#define AUTH_LDAP_LOCAL             1

// Use a staticly defined pattern for user DNs. This saves us from
// connecting to the server twice.
//
// macro expansions:
// %u the supplied username
// %i the user part, if the username is in the form of user@domain.tld
// %d the domain part, if the username is in the form of user@domain.tld
// %b the base domain
//
#define AUTH_LDAP_DN_PATTERN        "cn=%u,ou=People,%b"      //這裡的uid要改成cn

//
// Error logging level.
//
// Posible values:
//      AUTH_LDAP_ERROR,
//      AUTH_LDAP_INFO,
//      AUTH_LDAP_DEBUG,
//      AUTH_LDAP_DEVEL
//
//+====================================================================+
//|                            !Caution!                               |
//+====================================================================+
//
// Error loging should never be set to development when compiling the
// plugin for deployment in a production system. Having the macro set to
// development will leed in sensitive authentication credentials being
// logged in plain text. Any user having access to system logs will be
// able to read user passwords!
//
#define AUTH_LDAP_ERROR_LEVEL       AUTH_LDAP_INFO


/*
 *
 * Configuration macros after this point, are reserved for future use,
 * and have not been implemented yet. Setting any value to these macros
 * will have not affect on plugin functionality.
 *
 */

// Search for the users DN before attempting to bind for authentication.
#define AUTH_LDAP_SEARCH_DN         0
// The search filter
#define AUTH_LDAP_SEARCH_DN_FILTER  "(&(cn=%u)(objectClass=shadowPassword))" //這裡的uid要改成cn
// Search levels. possible values base,one,subtree
#define AUTH_LDAP_LEVEL             "base"
// Bind anonymously to perform search for the user's DN
#define AUTH_LDAP_BIND_ANONYMOUSLY  1
// If we will not bind anonymously set the corresponding DN and password.
#define AUTH_LDAP_BIND_DN           ""
#define AUTH_LDAP_BIND_PASSWD       ""

[netman]

讚！感謝分享！

[Niko]

感恩!!又學習了... 

[wlhfor]

感謝分享~~