Login Authentication #
Password Authentication #
DBPlusEngine-Proxy uses password authentication by default. The configuration format is as follows:
authority:
users:
- user: root@%
password: root
- user: sharding
password: sharding
In this configuration, two users are specified for DBPlusEngine:
- root:
@%means that the user can access DBPlusEngine through any host,passwordspecifies the password as root. - sharding: the user does not specify the host configuration, and the default value is
@%,passwordspecifies the password assharding.
When the administrator needs to restrict specific users from logging in to the host, you can use the username@host to specify, such as:
- user: user1@192.168.1.111
password: user1_password
Indicates that user1 can access DBPlusEngine only through 192.168.1.111, the authentication password is user1_password.
LDAP Authentication #
Notes:
- Before enabling LDAP authentication, users should first deploy an LDAP server, such as OpenLDAP.
- When using the MySQL client, the cleartext-plugin needs to be displayed, such as: mysql -h 127.0.0.1 -P 3307 -u root -p –enable-cleartext-plugin
Configure LDAP in DBPlusEngine as follows:
Example 1 #
Each user needs to be authenticated with LDAP and use the same DN template.
authority:
users:
- user: root@%
- user: sharding
authenticators:
auth_ldap:
type: LDAP
props:
ldap_server_url: ldap://localhost:389
ldap_dn_template: cn={0},ou=users,dc=example,dc=org
defaultAuthenticator: auth_ldap
This configuration specifies an authenticator auth_ldap, whose type is LDAP, and the necessary configuration is given in props:
- ldap_server_url: access address of LDAP server
- ldap_dn_template: user DN template
When using the above configuration, the corresponding user DN are root and sharding:
- root:cn=root,ou=users,dc=example,dc=org
- sharding:cn=sharding,ou=users,dc=example,dc=org
Example 2 #
Each user needs LDAP authentication, but uses a different DN template.
authority:
users:
- user: root@%
props:
ldap_dn: cn=root,ou=admin,dc=example,dc=org
- user: sharding
authenticators:
auth_ldap:
type: LDAP
props:
ldap_server_url: ldap://localhost:389
ldap_dn_template: cn={0},ou=users,dc=example,dc=org
defaultAuthenticator: auth_ldap
The difference from ‘example 1’ is: User ‘root’ is not in the same ou as other users, so an explicit user DN is specified separately for ‘root’.
When using the above configuration, the root and sharding of DN are:
- root:
cn=root,ou=admin,dc=example,dc=org - sharding:
cn=sharding,ou=users,dc=example,dc=org
Hybrid Authentication #
Hybrid authentication means that some users use password authentication and others use LDAP authentication. This is a very flexible combination that can meet the needs of specific security scenarios.
The configuration format of hybrid authentication is as follows:
authority:
users:
- user: root@%
auth: auth_ldap
- user: sharding
password: sharding
- user: user1
password: password_user1
authenticators:
auth_ldap:
type: LDAP
props:
ldap_server_url: ldap://localhost:389
ldap_dn_template: cn={0},ou=users,dc=example,dc=org
In the above configuration, defaultAuthenticator is not specified, and password authentication is used by default. At the same time, through display configuration auth: auth_ldap, which specifies the identity authenticator for the user ‘root’, and requires the user to log in through LDAP authentication.
When using the above configuration, the corresponding authentication methods for users ‘root’, ‘sharding’ and ‘user1’ are:
- root: LDAP
- sharding: password
- user1: password
Note: in the hybrid authentication scenario, the administrator can also enable LDAP authentication by default and use auth: password to set a small number of users to password authentication.