ldap_tls_cacert for MariaDB Xpand

Overview

In 23.09:

By default, Xpand will use the system defaults in order to determine CA trust when establishing TLS connections with an LDAP server. If set, this should specify a path to a file containing the trusted CA certificates. This can be useful if your LDAP server's TLS certificate is self-signed. This option is commonly referred to as TLS_CACERT in other LDAP client documentation.

In 6.1, 6.0, 5.3:

Not present

See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3

USAGE

The ldap_tls_cacert system variable can be set by executing SET GLOBAL:

SET GLOBAL ldap_tls_cacert = '<path_to_trusted_CA_certificates>';

Using SET GLOBAL to set the value of a global variable in Xpand causes a change that will persist on restart.

DETAILS

By default, Xpand will use the system defaults in order to determine CA trust when establishing TLS connections with an LDAP server.

If ldap_tls_cacert is set, it should specify a path to a file containing the trusted CA certificates. This can be useful if your LDAP server's TLS certificate is self-signed. This option is commonly referred to as TLS_CACERT in other LDAP client documentation.

Each Xpand node needs local filesystem access to this path.

Once this variable is set and the file exists on each Xpand node, use ALTER CLUSTER RELOAD LDAP to direct each Xpand node in the cluster to load the file.

SYNONYMS

SCHEMA

PARAMETERS

SKYSQL

PRIVILEGES

EXAMPLES

To specify the path to a custom certificate authority certificate file:

SET GLOBAL ldap_tls_cacert = '/data/clustrix/ldap-ca-cert.pem';

The following statement unsets any custom certificate authority certificate file. The system's already-trusted certificate authorities are used during TLS negotiation:

SET GLOBAL ldap_tls_cacert = '';

Use this setting of an empty string when your LDAP server already has a publicly-trusted certificate for its domain name. If you already have a publicly-trusted certificate for a domain name of, say, example.com, and you intend to connect to it via ldaps://example.com, then this global variable should be set to the empty string.

ERROR HANDLING

FEATURE INTERACTION

RESPONSES

DIAGNOSIS

ISO 9075:2016

CHANGE HISTORY

Release Series

History

23.09

  • Added in MariaDB Xpand 23.09.1.

6.1

  • Not present.

6.0

  • Not present.

5.3

  • Not present.

EXTERNAL REFERENCES