Database Account LDAP Authentication
This page is part of MariaDB's Documentation.
The parent of this page is: Options
Topics on this page:
Overview
MariaDB SkySQL supports database account LDAP authentication as an option:
This feature is not enabled by default. By default, database users are authenticated against the database.
When enabled, users are authenticated using LDAP authentication via PAM.
Anonymous LDAP bind is not currently supported. Bind DN and password are required.
Database Account LDAP Authentication is available to Power Tier customers.
Compatibility
Distributed Transactions
Multi-Node Analytics
Replicated Transactions
Single Node Analytics
Single Node Transactions
Enable Database Account LDAP Authentication
Launch the SkySQL service to be linked.
Contact SkySQL Support to request database account 2FA:
Provide the SkySQL Service name.
Additional instructions on configuration and usage are provided by SkySQL Support.
Service Configuration for PHP
When database account LDAP authentication is enabled for a SkySQL service that uses MariaDB Enterprise Server, the service requires extra configuration to accept connections from PHP.
By default, Enterprise Server's pam
authentication plugin tells the client to provide the password or authentication token using the dialog
client authentication plugin. PHP does not currently support the dialog
client authentication plugin, so PHP applications can not authenticate via pam
with the default service configuration. When authentication is attempted, a warning or error is raised with the following message:
mysqli_connect(): The server requested authentication method unknown to the client [dialog] in SOURCE_FILE on line SOURCE_LINE
However, PHP does support the mysql_clear_password
client authentication plugin, which can be used instead of the dialog
client authentication plugin.
MariaDB Enterprise Server can be configured to use mysql_clear_password
instead of dialog
by enabling the pam_use_cleartext_plugin
system variable. The pam_use_cleartext_plugin
system variable can be enabled as a custom configuration. For more information, contact MariaDB Support.