As a continuation of previous post, now, I will show how to make a mysql plugin for ldap authentication.

Get the mysql-server source code at http://dev.mysql.com/downloads/mysql/ (http://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.27.tar.gz/from/http://cdn.mysql.com/)

Installing necessary packages

yum groupinstall 'Development Tools'
yum install cmake ncurses-devel

Download source code, build and start MySQL Server

wget http://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.27.tar.gz/from/http://cdn.mysql.com/
tar -xzf mysql-5.5.27.tar.gz
cd mysql-5.5.25

# Preconfiguration setup
groupadd mysql
useradd -r -g mysql mysql

# Beginning of source-build specific instructions
cmake .
make
make install

# Postinstallation setup
chown -R mysql .
chgrp -R mysql .
./scripts/mysql_install_db --user=mysql
chown -R root .
chown -R mysql data

cp support-files/mysql.server /etc/init.d/mysql.server

# Start mysql server
/etc/init.d/mysql.server start

Goal 1) The first version of the plugin must should allow user authentication with password.

Create auth_ldap folder within mysql-5.5.25/plugin

mkdir plugin/auth_ldap

Create a new file in plugin/auth_ldap/auth_ldap.c

/*
Author: Ignacio Ocampo <nafiux@gmail.com>
Website: http://www.nafiux.com/blog
Version: 1.0.0
Description:
  Simple auth plugin
*/

#include <mysql/plugin_auth.h>
#include <mysql/client_plugin.h>
#include <mysql.h>
#include <stdio.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>

static void auth_ldap_log(int priority, char *msg)
{
  openlog("auth_ldap", LOG_PID|LOG_CONS, LOG_USER);
  syslog(LOG_INFO, msg);
  closelog();
}

/* principal function */
static int auth_ldap_server (MYSQL_PLUGIN_VIO *vio,
                               MYSQL_SERVER_AUTH_INFO *info)
{
  unsigned char *pkt;
  int pkt_len;

  /* read the password as null-terminated string, fail on error */
  if ((pkt_len= vio->read_packet(vio, &pkt)) < 0)
    return CR_ERROR;

  /* fail on empty password */
  if (!pkt_len || *pkt == '\0')
  {
    auth_ldap_log(LOG_INFO, "fail empty password");
    info->password_used= PASSWORD_USED_NO;
    return CR_ERROR;
  }

  /* accept any nonempty password */
  info->password_used= PASSWORD_USED_YES;
  auth_ldap_log(LOG_INFO, "accept any nonempty password");

  return CR_OK;
}

static struct st_mysql_auth auth_ldap_handler =
{
  MYSQL_AUTHENTICATION_INTERFACE_VERSION,
  "auth_ldap",           /* required client-side plugin name */
  auth_ldap_server       /* server-side plugin main function */
};

mysql_declare_plugin(auth_ldap)
{
  MYSQL_AUTHENTICATION_PLUGIN,
  &auth_ldap_handler,                 /* type-specific descriptor */
  "auth_ldap",                        /* plugin name */
  "Ignacio Ocampo",                        /* author */
  "LDAP authentication plugin", /* description */
  PLUGIN_LICENSE_GPL,                   /* license type */
  NULL,                                 /* no init function */
  NULL,                                 /* no deinit function */
  0x0100,                               /* version = 1.0 */
  NULL,                                 /* no status variables */
  NULL,                                 /* no system variables */
  NULL,                                 /* no reserved information */
  0                                     /* no flags */
}
mysql_declare_plugin_end;

static int auth_ldap_client (MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
{
  int res;

  /* send password as null-terminated string in clear text */
  res= vio->write_packet(vio, (const unsigned char *) mysql->passwd, 
                         strlen(mysql->passwd) + 1);

  return res ? CR_ERROR : CR_OK;
}

mysql_declare_client_plugin(AUTHENTICATION)
  "auth_ldap",                        /* plugin name */
  "Ignacio Ocampo",                        /* author */
  "LDAP authentication plugin", /* description */
  {1,0,0},                              /* version = 1.0.0 */
  "GPL",                                /* license type */
  NULL,                                 /* for internal use */
  NULL,                                 /* no init function */
  NULL,                                 /* no deinit function */
  NULL,                                 /* no option-handling function */
  auth_ldap_client                    /* main function */
mysql_end_client_plugin;

To compile the plugin, we can use the macros defined for cmake in MySQL source code.

Create a new file in plugin/auth_ldap/CMakeLists.txt:

MYSQL_ADD_PLUGIN(auth_ldap auth_ldap.c
  MODULE_ONLY MODULE_OUTPUT_NAME "auth_ldap")

To compile the plugin, run de make command at the root of source code of MySQL (in the same directory where you ran to top):

make

Plugin installation:

cp plugin/auth_ldap/auth_ldap.so /usr/local/mysql/lib/plugin/auth_ldap.so
chgrp mysql /usr/local/mysql/lib/plugin/auth_ldap.so

/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root
mysql> INSTALL PLUGIN auth_ldap SONAME 'auth_ldap.so';

We will implement proxy user support in authentication plugin (see http://dev.mysql.com/doc/refman/5.5/en/writing-authentication-plugins.html#writing-authentication-plugins-proxy-users)

The idea is authenticate any user with LDAP, however, it user must be mapped to a mysql local user, to do it:

Create the Database and Proxy to authenticate any external user through out auth_ldap plugin.

As you can see, the local user “dev” serves as proxy for any user and can access the database “dev_example1″

mysql> CREATE DATABASE dev_example1;
mysql> CREATE USER 'dev'@'localhost';
mysql> GRANT ALL ON dev_example1.* TO 'dev'@'locahost';
mysql> USE mysql;
mysql> DELETE FROM user WHERE User='';
mysql> CREATE USER ''@'' IDENTIFIED WITH auth_ldap;
mysql> GRANT PROXY ON 'dev'@'localhost' TO ''@'';
mysql> SELECT user, host, plugin FROM user;
+------+-----------------------+-----------+
| user | host                  | plugin    |
+------+-----------------------+-----------+
| root | localhost             |           |
| root | localhost.localdomain |           |
| root | 127.0.0.1             |           |
| root | ::1                   |           |
| dev  | %                     |           |
|      |                       | auth_ldap |
+------+-----------------------+-----------+
6 rows in set (0,00 sec)

Test our plugin:

/usr/local/mysql/bin/mysql -h 127.0.0.1 --user=foo
ERROR 1045 (28000): Access denied for user 'foo'@'localhost' (using password: NO)

/usr/local/mysql/bin/mysql -h 127.0.0.1 --user=foo --password=bar
Welcome to the MySQL monitor.  Commands end with ; or \g.

Check the log:

tail /var/log/messages
Aug 11 12:00:50 localhost auth_ldap[3383]: fail empty password
Aug 11 12:00:55 localhost auth_ldap[3383]: accept any nonempty password

Goal 1 completed!

Goal 2) Implement ldap authentication and mapping with local user

/*
Author: Ignacio Ocampo <nafiux@gmail.com>
Website: http://www.nafiux.com/blog
Version: 1.0.2
Description:
  Auth plugin with LDAP
*/

#include <mysql/plugin_auth.h>
#include <mysql/client_plugin.h>
#include <mysql.h>
#include <stdio.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>
#include <ldap.h>

#define LDAP_SERVER	"ldap://nafiux.com:389"
#define LDAP_PATH	"ou=People,dc=nafiux,dc=com"

static void auth_ldap_log(int priority, char *msg)
{
  openlog("auth_ldap", LOG_PID|LOG_CONS, LOG_USER);
  syslog(LOG_INFO, msg);
  closelog();
}

/* ldap login function */
static int auth_ldap_login(char *username, unsigned char *password)
{
  LDAP *ld;
  int rc;
  char dn[200];
  char buffer[200];

  /* Open LDAP Connection*/
  if( ldap_initialize( &ld, LDAP_SERVER ) )
  {
    auth_ldap_log(LOG_ERR, "ldap_initialize");
    return( 1 );
  }

  /* User authentication (bind) */
  sprintf(dn, "cn=%s,%s", username, LDAP_PATH);
  rc = ldap_simple_bind_s( ld, dn, password );
  if( rc != LDAP_SUCCESS )
  {
    sprintf(buffer, "Authentication failed: %s", dn);
    auth_ldap_log(LOG_INFO, buffer);
    return( 1 );
  }

  sprintf(buffer, "Authentication successful: %s", dn);
  auth_ldap_log(LOG_INFO, buffer);
  return( 0 );
}

/* principal function */
static int auth_ldap_server (MYSQL_PLUGIN_VIO *vio,
                               MYSQL_SERVER_AUTH_INFO *info)
{
  unsigned char *pkt;
  int pkt_len;

  /* read the password as null-terminated string, fail on error */
  if ((pkt_len= vio->read_packet(vio, &pkt)) < 0)
    return CR_ERROR;

  /* fail on empty password */
  if (!pkt_len || *pkt == '\0')
  {
    auth_ldap_log(LOG_INFO, "fail empty password");
    info->password_used= PASSWORD_USED_NO;
    return CR_ERROR;
  }

  /* accept any nonempty password */
  info->password_used= PASSWORD_USED_YES;
  //auth_ldap_log(LOG_INFO, "accept any nonempty password");

  if(auth_ldap_login(info->user_name, pkt))
    return CR_ERROR;

  strcpy(info->authenticated_as, "dev"); // local user
  strcpy(info->external_user, info->user_name);

  return CR_OK;
}

static struct st_mysql_auth auth_ldap_handler =
{
  MYSQL_AUTHENTICATION_INTERFACE_VERSION,
  "auth_ldap",           /* required client-side plugin name */
  auth_ldap_server       /* server-side plugin main function */
};

mysql_declare_plugin(auth_ldap)
{
  MYSQL_AUTHENTICATION_PLUGIN,
  &auth_ldap_handler,                 /* type-specific descriptor */
  "auth_ldap",                        /* plugin name */
  "Ignacio Ocampo",                        /* author */
  "LDAP authentication plugin", /* description */
  PLUGIN_LICENSE_GPL,                   /* license type */
  NULL,                                 /* no init function */
  NULL,                                 /* no deinit function */
  0x0100,                               /* version = 1.0 */
  NULL,                                 /* no status variables */
  NULL,                                 /* no system variables */
  NULL,                                 /* no reserved information */
  0                                     /* no flags */
}
mysql_declare_plugin_end;

static int auth_ldap_client (MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
{
  int res;

  /* send password as null-terminated string in clear text */
  res= vio->write_packet(vio, (const unsigned char *) mysql->passwd, 
                         strlen(mysql->passwd) + 1);

  return res ? CR_ERROR : CR_OK;
}

mysql_declare_client_plugin(AUTHENTICATION)
  "auth_ldap",                        /* plugin name */
  "Ignacio Ocampo",                        /* author */
  "LDAP authentication plugin", /* description */
  {1,0,0},                              /* version = 1.0.0 */
  "GPL",                                /* license type */
  NULL,                                 /* for internal use */
  NULL,                                 /* no init function */
  NULL,                                 /* no deinit function */
  NULL,                                 /* no option-handling function */
  auth_ldap_client                    /* main function */
mysql_end_client_plugin;

Befor compile the plugin, you need to update the plugin/auth_ldap/CMakeLists.txt (add the LINK_LIBRARIES “ldap” option)

MYSQL_ADD_PLUGIN(auth_ldap auth_ldap.c
  MODULE_ONLY MODULE_OUTPUT_NAME "auth_ldap"
  LINK_LIBRARIES "ldap")

Install openldap-devel package

yum install openldap-devel

Make, copy plugin and restart server (see the previous steps).

Finally, I try the plugin completely.

/usr/local/mysql/bin/mysql -h 127.0.0.1 -u foo --password=bar
ERROR 1045 (28000): Access denied for user 'foo'@'localhost' (using password: YES)

/usr/local/mysql/bin/mysql -h 127.0.0.1 -u nafiux --password=REAL_LDAP_PASSWORD
Welcome to the MySQL monitor.  Commands end with ; or \g.

Check the log:

tail /var/log/messages
Aug 11 14:46:43 localhost auth_ldap[28666]: Authentication failed: cn=foo,ou=People,dc=nafiux,dc=com
Aug 11 14:47:04 localhost auth_ldap[28666]: Authentication successful: cn=nafiux,ou=People,dc=nafiux,dc=com

Check the available databases and user session information:

/usr/local/mysql/bin/mysql -h 127.0.0.1 -u nafiux --password=REAL_LDAP_PASSWORD
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.5.27 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dev_example1       |
| test               |
+--------------------+
3 rows in set (0,00 sec)

mysql> SELECT USER(), CURRENT_USER(), @@proxy_user, @@external_user;
+------------------+----------------+--------------+-----------------+
| USER()           | CURRENT_USER() | @@proxy_user | @@external_user |
+------------------+----------------+--------------+-----------------+
| nafiux@localhost | dev@localhost  | ''@''        | ''@''           |
+------------------+----------------+--------------+-----------------+
1 row in set (0,00 sec)

Goal 2 completed!

3 Thoughts on “MySQL LDAP Authentication Plugin

  1. Keith, yesterday I added my blog feed to planet.mysql.com :)

    Joro, thank you for feedback, I want to read about the cleartext plugin and update my post.

    Thanks to both.

  2. Great post. One idea : insted of writing (and having to deply) your own client plugin you probably can reuse the cleartext client side plugin, specially because it’s available in a number of mysql clients already. Check sql-common/client.c on MySQL 5.5+ for details.

  3. Great post thanks !
    Can you add your feed to planet.mysql.com
    http://planet.mysql.com/new

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

Puedes usar las siguientes etiquetas y atributos HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation