Authentication with gssapi
This page is part of MariaDB's Documentation.
The parent of this page is: Authentication for MariaDB Enterprise Server
Topics on this page:
Overview
The gssapi
authentication plugin validates user credentials against a GSSAPI-based authentication service, like Kerberos or NTLM.
Install Package
The gssapi
authentication plugin requires an additional package to be installed on Linux.
On CentOS, RHEL, and Rocky Linux:
$ sudo yum install MariaDB-gssapi-server
On Debian and Ubuntu:
$ sudo apt install mariadb-plugin-gssapi-server
On SLES:
$ sudo zypper install MariaDB-gssapi-server
Configure
The gssapi
authentication plugin requires some system variables to be configured, including:
For example:
[mariadb]
...
gssapi_keytab_path=KEYTAB_PATH
gssapi_principal_name=PRINCIPAL_NAME
Install Plugin
The gssapi
authentication plugin must be installed before it can be used.
To install with the INSTALL SONAME
statement:
INSTALL SONAME 'gssapi';
To install in a configuration file with the plugin_load_add
option:
[mariadb]
...
plugin_load_add = auth_gssapi
Create User
To create a user account that uses the gssapi
authentication plugin, specify the plugin in the CREATE USER
statement:
CREATE USER 'USER'@'192.0.2.%'
IDENTIFIED VIA gssapi;
An optional realm can be specified:
CREATE USER 'USER'@'192.0.2.%'
IDENTIFIED VIA gssapi USING 'USER@DOMAIN';