ldap_tls_cacert for MariaDB Xpand
This page is part of MariaDB's Documentation.
The parent of this page is: System Variables for MariaDB Xpand
Topics on this page:
Overview
In 23.09:
By default, Xpand will use the system defaults in order to determine CA trust when establishing TLS connections with an LDAP server. If set, this should specify a path to a file containing the trusted CA certificates. This can be useful if your LDAP server's TLS certificate is self-signed. This option is commonly referred to as TLS_
CACERT in other LDAP client documentation. In 6.1, 6.0, 5.3:
Not present
See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3
USAGE
The ldap_tls_cacert
system variable can be set by executing SET GLOBAL
:
SET GLOBAL ldap_tls_cacert = '<path_to_trusted_CA_certificates>';
Using SET GLOBAL
to set the value of a global variable in Xpand causes a change that will persist on restart.
DETAILS
By default, Xpand will use the system defaults in order to determine CA trust when establishing TLS connections with an LDAP server.
If ldap_tls_cacert
is set, it should specify a path to a file containing the trusted CA certificates. This can be useful if your LDAP server's TLS certificate is self-signed. This option is commonly referred to as TLS_CACERT
in other LDAP client documentation.
Each Xpand node needs local filesystem access to this path.
Once this variable is set and the file exists on each Xpand node, use ALTER CLUSTER RELOAD LDAP
to direct each Xpand node in the cluster to load the file.
SYNONYMS
SCHEMA
PARAMETERS
SKYSQL
PRIVILEGES
EXAMPLES
To specify the path to a custom certificate authority certificate file:
SET GLOBAL ldap_tls_cacert = '/data/clustrix/ldap-ca-cert.pem';
The following statement unsets any custom certificate authority certificate file. The system's already-trusted certificate authorities are used during TLS negotiation:
SET GLOBAL ldap_tls_cacert = '';
Use this setting of an empty string when your LDAP server already has a publicly-trusted certificate for its domain name. If you already have a publicly-trusted certificate for a domain name of, say, example.com
, and you intend to connect to it via ldaps://example.com
, then this global variable should be set to the empty string.
ERROR HANDLING
FEATURE INTERACTION
RESPONSES
DIAGNOSIS
ISO 9075:2016
CHANGE HISTORY
Release Series | History |
---|---|
23.09 |
|
6.1 |
|
6.0 |
|
5.3 |
|