作者 主題: 有關MYSQL認証透過LDAP的問題  (閱讀 3877 次)

0 會員 與 1 訪客 正在閱讀本文。

Robetar

  • 可愛的小學生
  • *
  • 文章數: 16
    • 檢視個人資料
有關MYSQL認証透過LDAP的問題
« 於: 2013-10-02 16:26 »
請教一下各位學長有使用過mysql-auth_ldap這個套件嗎?
載點是http://sourceforge.net/projects/mysqlauthldap/
裡頭有教學及如何設置,但我按照它上面所寫的去設定之後一直卡在
info: ldap_auth_server: ldap_sasl_bind_s returned: Invalid credentials :(
不知道有沒有其他學長有沒有使用過,分享一下心得,我已經有向google大神請教過了,但似乎這類的文章很少,
希望有使用過的學長教導一下小弟
我的config.h設定為下:
代碼: [選擇]
#include "options.h"

#define AUTH_LDAP_URI               "ldap://192.168.3.xxx:389/"
#define AUTH_LDAP_BASE_DN           "dc=my-ldap,dc=com"
#define AUTH_LDAP_OPENLDAP_SO       "/usr/lib/libldap.so"

// if AUTH_LDAP_SOCKET is set to 1 users are going to be authenticated
// only if connections to the MySQL server are performed over a UNIX
// domain socket. See also AUTH_LDAP_LOCAL
#define AUTH_LDAP_SOCKET            1
// if both AUTH_LDAP_SOCKET and AUTH_LDAP_LOCAL are set to 1 users are
// going to be authenticated only if connections to the MySQL server are
// performed over a UNIX domain socket, or from localhost.
#define AUTH_LDAP_LOCAL             1

// Use a staticly defined pattern for user DNs. This saves us from
// connecting to the server twice.
//
// macro expansions:
// %u the supplied username
// %i the user part, if the username is in the form of user@domain.tld
// %d the domain part, if the username is in the form of user@domain.tld
// %b the base domain
//
#define AUTH_LDAP_DN_PATTERN        "uid=%u,ou=People,%b"

//
// Error logging level.
//
// Posible values:
//      AUTH_LDAP_ERROR,
//      AUTH_LDAP_INFO,
//      AUTH_LDAP_DEBUG,
//      AUTH_LDAP_DEVEL
//
//+====================================================================+
//|                            !Caution!                               |
//+====================================================================+
//
// Error loging should never be set to development when compiling the
// plugin for deployment in a production system. Having the macro set to
// development will leed in sensitive authentication credentials being
// logged in plain text. Any user having access to system logs will be
// able to read user passwords!
//
#define AUTH_LDAP_ERROR_LEVEL       AUTH_LDAP_INFO


/*
 *
 * Configuration macros after this point, are reserved for future use,
 * and have not been implemented yet. Setting any value to these macros
 * will have not affect on plugin functionality.
 *
 */

// Search for the users DN before attempting to bind for authentication.
#define AUTH_LDAP_SEARCH_DN         0
// The search filter
#define AUTH_LDAP_SEARCH_DN_FILTER  "(&(uid=%u)(objectClass=shadowPassword))"
// Search levels. possible values base,one,subtree
#define AUTH_LDAP_LEVEL             "base"
// Bind anonymously to perform search for the user's DN
#define AUTH_LDAP_BIND_ANONYMOUSLY  1
// If we will not bind anonymously set the corresponding DN and password.
#define AUTH_LDAP_BIND_DN           ""
#define AUTH_LDAP_BIND_PASSWD       ""

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5373
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
Re: 有關MYSQL認証透過LDAP的問題
« 回覆 #1 於: 2013-10-02 17:33 »
那是 ldap 那邊的錯誤. 先確定你用 ldap_search 可以用你使用的帳號密碼去讀到你要的資料吧.
看上頭的定義.... 是用 anonymous 去讀, 或許你的 ldap server 的 ACLs 不允許吧 (一般應該也不會允許 anonymous 去做驗證的事吧).

Robetar

  • 可愛的小學生
  • *
  • 文章數: 16
    • 檢視個人資料
Re: 有關MYSQL認証透過LDAP的問題
« 回覆 #2 於: 2013-10-02 17:54 »
我已經解決了,感謝twu2學長的回答,問題並不是出在那裡,是我貼的config檔設定的問題,
我將它修改之後就可以用了,不過還是感謝您耐心回答 :D
解出來的感覺真好 ;D
把我解決後的CONFIG也一並分享出來,希望有其他學員要用時,不會跟我一樣遇到這類的問題了
代碼: [選擇]
#include "options.h"

#define AUTH_LDAP_URI               "ldap://192.168.3.xxx:389/"
#define AUTH_LDAP_BASE_DN           "dc=my-ldap,dc=com"
#define AUTH_LDAP_OPENLDAP_SO       "/usr/lib/libldap.so"

// if AUTH_LDAP_SOCKET is set to 1 users are going to be authenticated
// only if connections to the MySQL server are performed over a UNIX
// domain socket. See also AUTH_LDAP_LOCAL
#define AUTH_LDAP_SOCKET            1
// if both AUTH_LDAP_SOCKET and AUTH_LDAP_LOCAL are set to 1 users are
// going to be authenticated only if connections to the MySQL server are
// performed over a UNIX domain socket, or from localhost.
#define AUTH_LDAP_LOCAL             1

// Use a staticly defined pattern for user DNs. This saves us from
// connecting to the server twice.
//
// macro expansions:
// %u the supplied username
// %i the user part, if the username is in the form of user@domain.tld
// %d the domain part, if the username is in the form of user@domain.tld
// %b the base domain
//
#define AUTH_LDAP_DN_PATTERN        "cn=%u,ou=People,%b"      //這裡的uid要改成cn

//
// Error logging level.
//
// Posible values:
//      AUTH_LDAP_ERROR,
//      AUTH_LDAP_INFO,
//      AUTH_LDAP_DEBUG,
//      AUTH_LDAP_DEVEL
//
//+====================================================================+
//|                            !Caution!                               |
//+====================================================================+
//
// Error loging should never be set to development when compiling the
// plugin for deployment in a production system. Having the macro set to
// development will leed in sensitive authentication credentials being
// logged in plain text. Any user having access to system logs will be
// able to read user passwords!
//
#define AUTH_LDAP_ERROR_LEVEL       AUTH_LDAP_INFO


/*
 *
 * Configuration macros after this point, are reserved for future use,
 * and have not been implemented yet. Setting any value to these macros
 * will have not affect on plugin functionality.
 *
 */

// Search for the users DN before attempting to bind for authentication.
#define AUTH_LDAP_SEARCH_DN         0
// The search filter
#define AUTH_LDAP_SEARCH_DN_FILTER  "(&(cn=%u)(objectClass=shadowPassword))" //這裡的uid要改成cn
// Search levels. possible values base,one,subtree
#define AUTH_LDAP_LEVEL             "base"
// Bind anonymously to perform search for the user's DN
#define AUTH_LDAP_BIND_ANONYMOUSLY  1
// If we will not bind anonymously set the corresponding DN and password.
#define AUTH_LDAP_BIND_DN           ""
#define AUTH_LDAP_BIND_PASSWD       ""
« 上次編輯: 2013-10-02 17:56 由 Robetar »

netman

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 17327
    • 檢視個人資料
    • http://www.study-area.org
Re: 有關MYSQL認証透過LDAP的問題
« 回覆 #3 於: 2013-10-02 18:10 »
讚!感謝分享!

Niko

  • 活潑的大學生
  • ***
  • 文章數: 281
  • 性別: 男
    • 檢視個人資料
Re: 有關MYSQL認証透過LDAP的問題
« 回覆 #4 於: 2013-10-02 22:27 »
感恩!!又學習了...  :)

wlhfor

  • 懷疑的國中生
  • **
  • 文章數: 39
    • 檢視個人資料
Re: 有關MYSQL認証透過LDAP的問題
« 回覆 #5 於: 2013-10-24 16:41 »
感謝分享~~