MySQL LDAP Authentication Plugin (Clear password client plugin)

Based on my last post MySQL LDAP Authentication Plugin, I received feedback from MySql Joro Blog by Oracle.

They told me:

Insted of writing (and having to deply) your own client plugin you probably can reuse the cleartext client side plugin, specially because it’s available in a number of mysql clients already. Check sql-common/client.c on MySQL 5.5+ for details.

This is very useful because you only need to put the plugin in server side, and in the client side you only need to check if the clear password plugin is enabled.

Now, I present the updated code with the only server side plugin, and I reused the cleartext client side plugin from MySql, it’s more short and very focused in LDAP authentication:

Author: Ignacio Ocampo <>
Version: 1.0.3
  Server auth LDAP plugin with client cleartext built-in plugin

#include <mysql/plugin_auth.h>
#include <mysql/client_plugin.h>
#include <mysql.h>
#include <stdio.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>
#include <ldap.h>

#define LDAP_SERVER	"ldap://"
#define LDAP_PATH	"ou=People,dc=nafiux,dc=com"

static void auth_ldap_log(int priority, char *msg)
  openlog("auth_ldap", LOG_PID|LOG_CONS, LOG_USER);
  syslog(LOG_INFO, msg);

/* ldap login function */
static int auth_ldap_login(char *username, unsigned char *password)
  LDAP *ld;
  int rc;
  char dn[200];
  char buffer[200];

  /* Open LDAP Connection*/
  if( ldap_initialize( &ld, LDAP_SERVER ) )
    auth_ldap_log(LOG_ERR, "ldap_initialize");
    return( 1 );

  /* User authentication (bind) */
  sprintf(dn, "cn=%s,%s", username, LDAP_PATH);
  rc = ldap_simple_bind_s( ld, dn, password );
  if( rc != LDAP_SUCCESS )
    sprintf(buffer, "Authentication failed: %s", dn);
    auth_ldap_log(LOG_INFO, buffer);
    return( 1 );

  sprintf(buffer, "Authentication successful: %s", dn);
  auth_ldap_log(LOG_INFO, buffer);
  return( 0 );

/* principal function */
static int auth_ldap_server (MYSQL_PLUGIN_VIO *vio,
                               MYSQL_SERVER_AUTH_INFO *info)
  unsigned char *pkt;
  int pkt_len;

  /* read the password as null-terminated string, fail on error */
  if ((pkt_len= vio->read_packet(vio, &pkt)) < 0)
    return CR_ERROR;

  /* fail on empty password */
  if (!pkt_len || *pkt == '\0')
    auth_ldap_log(LOG_INFO, "fail empty password");
    info->password_used= PASSWORD_USED_NO;
    return CR_ERROR;

  /* accept any nonempty password */
  info->password_used= PASSWORD_USED_YES;
  //auth_ldap_log(LOG_INFO, "accept any nonempty password");

  if(auth_ldap_login(info->user_name, pkt))
    return CR_ERROR;

  strcpy(info->authenticated_as, "dev"); // local user
  strcpy(info->external_user, info->user_name);

  return CR_OK;

static struct st_mysql_auth auth_ldap_handler =
  "mysql_clear_password",           /* required client-side plugin name */
  auth_ldap_server       /* server-side plugin main function */

  &auth_ldap_handler,                 /* type-specific descriptor */
  "auth_ldap",                        /* plugin name */
  "Ignacio Ocampo",                        /* author */
  "LDAP authentication plugin", /* description */
  PLUGIN_LICENSE_GPL,                   /* license type */
  NULL,                                 /* no init function */
  NULL,                                 /* no deinit function */
  0x0100,                               /* version = 1.0 */
  NULL,                                 /* no status variables */
  NULL,                                 /* no system variables */
  NULL,                                 /* no reserved information */
  0                                     /* no flags */

Make the plugin


And copy to plugin folder

cp plugin/auth_ldap/ /usr/local/mysql/lib/plugin/

Test it

/usr/local/mysql/bin/mysql -h -u nafiux --password=anypassword
ERROR 2059 (HY000): Authentication plugin 'mysql_clear_password' cannot be loaded: plugin not enabled

If you get this error it’s because in sql-common/client_plugin.c, in the load_env_plugins function is a validation:

static void load_env_plugins(MYSQL *mysql)
  char *plugs, *free_env, *s= getenv("LIBMYSQL_PLUGINS");
  char *enable_cleartext_plugin= getenv("LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN");

  if (enable_cleartext_plugin && strchr("1Yy", enable_cleartext_plugin[0]))
    libmysql_cleartext_plugin_enabled= 1;

  /* no plugins to load */

To solve this, you need to define the environment variable LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN as:


It only works on user session, if you want to do this permanently edit your ~/.bash_profile, for all users edit /etc/profile


[root@localhost mysql-5.5.27]# /usr/local/mysql/bin/mysql -h -u nafiux --password=anypassword
ERROR 1045 (28000): Access denied for user 'nafiux'@'localhost' (using password: YES)
[root@localhost mysql-5.5.27]# /usr/local/mysql/bin/mysql -h -u nafiux --password=REAL_LDAP_PASSWORD
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.5.27 Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


3 thoughts on “MySQL LDAP Authentication Plugin (Clear password client plugin)

  1. Sir! First of all, thank you — with very few changes I was able to create a custom plugin for our servers.

    What still worries us here is that the user’s password must now travel in clear text over the network. Yes, it can be mitigated with SSL, but nothing in the plugin enforces that…

    Can the plugin somehow figure out, whether the connection being authenticated is protected by SSL and fail, if it is not?

  2. Hello! I’m trying to use your plugin but get an error while installing it.
    mysql> INSTALL PLUGIN auth_ldap SONAME ‘’;
    ERROR 1126 (HY000): Can’t open shared library ‘usr/local/mysql/lib/plugin/’ (errno: 13 /usr/local/mysql/lib/plugin/ undefined symbol: ldap_simple_bind_s)
    I did all steps mentioned in your blog, but failed to install plugin. Any suggestions? Maybe something wrong with openldap? I configure it only with –enable-ldap option.

    • Aleksey:

      As I see you dont have ldap.h in your system.
      Be sure you have installed openldap-devel

      root@myvene# grep -i ldap_simple_bind_s /usr/include/ldap.h
      ldap_simple_bind_s LDAP_P(( /* deprecated, use ldap_sasl_bind_s */

      Cheers, Vene.-

Leave a Reply

Your email address will not be published. Required fields are marked *