Database Account LDAP Authentication

Overview

MariaDB SkySQL supports database account LDAP authentication as an option:

  • This feature is not enabled by default. By default, database users are authenticated against the database.

  • When enabled, users are authenticated using LDAP authentication via PAM.

  • Anonymous LDAP bind is not currently supported. Bind DN and password are required.

  • Database Account LDAP Authentication is available to Power Tier customers.

Compatibility

  • Distributed Transactions

  • Multi-Node Analytics

  • Replicated Transactions

  • Single Node Analytics

  • Single Node Transactions

Enable Database Account LDAP Authentication

  1. Launch the SkySQL service to be linked.

  2. Contact SkySQL Support to request database account 2FA:

    • Provide the SkySQL Service name.

  3. Additional instructions on configuration and usage are provided by SkySQL Support.

Service Configuration for PHP

When database account LDAP authentication is enabled for a SkySQL service that uses MariaDB Enterprise Server, the service requires extra configuration to accept connections from PHP.

By default, Enterprise Server's pam authentication plugin tells the client to provide the password or authentication token using the dialog client authentication plugin. PHP does not currently support the dialog client authentication plugin, so PHP applications can not authenticate via pam with the default service configuration. When authentication is attempted, a warning or error is raised with the following message:

mysqli_connect(): The server requested authentication method unknown to the client [dialog] in SOURCE_FILE on line SOURCE_LINE

However, PHP does support the mysql_clear_password client authentication plugin, which can be used instead of the dialog client authentication plugin.

MariaDB Enterprise Server can be configured to use mysql_clear_password instead of dialog by enabling the pam_use_cleartext_plugin system variable. The pam_use_cleartext_plugin system variable can be enabled as a custom configuration. For more information, contact MariaDB Support.