diff --git a/docs/ldap-authentication.md b/docs/ldap-authentication.md index a5f8a7095b8..6b52794e019 100644 --- a/docs/ldap-authentication.md +++ b/docs/ldap-authentication.md @@ -8,10 +8,6 @@ individuals, groups, and organizations. *Percona Server for MySQL* 8.0.30-22 implements an SASL-based LDAP authentication plugin. This plugin only supports the SCRAM-SHA-1 SASL mechanism. -!!! important - - --8<--- "tech.preview.md:5:5" - *Percona Server for MySQL* 8.0.19-10 implements the simple LDAP authentication. The Percona simple LDAP authentication plugin is a free and Open Source implementation of the MySQL Enterprise Simple LDAP authentication plugin. ## Plugin names and file names @@ -114,12 +110,6 @@ Install the plugin with the following statements. mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so'; ``` - To set and persist values at runtime, use the following statements: - - ```{.bash data-prompt="mysql>"} - mysql> SET PERSIST authentication_ldap_simple_server_host='127.0.0.1'; - mysql> SET PERSIST authentication_ldap_simple_bind_base_dn='dc=percona, dc=com'; - ``` === "Load the SASL-based LDAP authentication plugin" @@ -134,7 +124,7 @@ Install the plugin with the following statements. mysql> SET PERSIST authentication_ldap_sasl_bind_base_dn='dc=percona, dc=com'; ``` -## Create a user using simple LDAP authentication +## Create a user using LDAP simple authentication There are several methods to add or modify a user. @@ -156,21 +146,21 @@ There are several methods to add or modify a user. mysql> CREATE USER ... IDENTIFIED WITH authentication_ldap_simple BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' ``` - Unless the [authentication_ldap_simple_group_role_mapping](ldap-system-variables.md#authentication_ldap_simple_group_role_mapping) variable is used, creating a user with an authentication string does not use the following system variables: + Unless the [authentication_ldap_simple_group_role_mapping](ldap-simple-variables.md#authentication_ldap_simple_group_role_mapping) variable is used, creating a user with an authentication string does not use the following system variables: - * [authentication_ldap_simple_bind_base_dn](ldap-system-variables.md#authentication_ldap_simple_bind_base_dn) + * [authentication_ldap_simple_bind_base_dn](ldap-simple-variables.md#authentication_ldap_simple_bind_base_dn) - * [authentication_ldap_simple_bind_root_dn](ldap-system-variables.md#authentication_ldap_simple_bind_root_dn) + * [authentication_ldap_simple_bind_root_dn](ldap-simple-variables.md#authentication_ldap_simple_bind_root_dn) - * [authentication_ldap_simple_bind_root_pwd](ldap-system-variables.md#authentication_ldap_simple_bind_root_pwd) + * [authentication_ldap_simple_bind_root_pwd](ldap-simple-variables.md#authentication_ldap_simple_bind_root_pwd) - * [authentication_ldap_simple_user_search_attr](ldap-system-variables.md#authentication_ldap_simple_user_search_attr) + * [authentication_ldap_simple_user_search_attr](ldap-simple-variables.md#authentication_ldap_simple_user_search_attr) - * [authentication_ldap_simple_group_search_attr](ldap-system-variables.md#authentication_ldap_simple_group_search_attr) + * [authentication_ldap_simple_group_search_attr](ldap-simple-variables.md#authentication_ldap_simple_group_search_attr) Creating the user with `IDENTIFIED BY authentication_ldap_simple` uses the variables. - Creating the user with the [authentication_ldap_simple_group_role_mapping](ldap-system-variables.md#authentication_ldap_simple_group_role_mapping) variable also adds the [authentication_ldap_simple_bind_root_dn](ldap-system-variables.md#authentication_ldap_simple_bind_root_dn) and [authentication_ldap_simple_bind_root_pwd](ldap-system-variables.md#authentication_ldap_simple_bind_root_pwd) variables. + Creating the user with the [authentication_ldap_simple_group_role_mapping](ldap-simple-variables.md#authentication_ldap_simple_group_role_mapping) variable also adds the [authentication_ldap_simple_bind_root_dn](ldap-simple-variables.md#authentication_ldap_simple_bind_root_dn) and [authentication_ldap_simple_bind_root_pwd](ldap-simple-variables.md#authentication_ldap_simple_bind_root_pwd) variables. ## Create a user using SASL-based LDAP authentication @@ -192,21 +182,21 @@ There are several methods to add or modify a user. mysql> CREATE USER ... IDENTIFIED WITH authentication_ldap_sasl BY 'cn=[user name],ou=[organization unit],dc=[domain component],dc=com' ``` - Unless the [authentication_ldap_sasl_group_role_mapping](ldap-system-variables.md#authentication_ldap_sasl_group_role_mapping) variable is used, creating a user with an authentication string does not use the following system variables: + Unless the [authentication_ldap_sasl_group_role_mapping](ldap-sasl-variables.md#authentication_ldap_sasl_group_role_mapping) variable is used, creating a user with an authentication string does not use the following system variables: - * [authentication_ldap_sasl_bind_base_dn](ldap-system-variables.md#authentication_ldap_sasl_bind_base_dn) + * [authentication_ldap_sasl_bind_base_dn](ldap-sasl-variables.md#authentication_ldap_sasl_bind_base_dn) - * [authentication_ldap_sasl_bind_root_dn](ldap-system-variables.md#authentication_ldap_sasl_bind_root_dn) + * [authentication_ldap_sasl_bind_root_dn](ldap-sasl-variables.md#authentication_ldap_sasl_bind_root_dn) - * [authentication_ldap_sasl_bind_root_pwd](ldap-system-variables.md#authentication_ldap_sasl_bind_root_pwd) + * [authentication_ldap_sasl_bind_root_pwd](ldap-sasl-variables.md#authentication_ldap_sasl_bind_root_pwd) - * [authentication_ldap_sasl_user_search_attr](ldap-system-variables.md#authentication_ldap_sasl_user_search_attr) + * [authentication_ldap_sasl_user_search_attr](ldap-sasl-variables.md#authentication_ldap_sasl_user_search_attr) - * [authentication_ldap_sasl_group_search_attr](ldap-system-variables.md#authentication_ldap_sasl_group_search_attr) + * [authentication_ldap_sasl_group_search_attr](ldap-sasl-variables.md#authentication_ldap_sasl_group_search_attr) Creating the user with `IDENTIFIED BY authentication_ldap_sasl` uses the variables. - Creating the user with the [authentication_ldap_sasl_group_role_mapping](ldap-system-variables.md#authentication_ldap_sasl_group_role_mapping) variable also adds the[authentication_ldap_sasl_bind_root_dn](ldap-system-variables.md#authentication_ldap_sasl_bind_root_dn) and [authentication_ldap_sasl_bind_root_pwd](ldap-system-variables.md#authentication_ldap_sasl_bind_root_pwd) variables. + Creating the user with the [authentication_ldap_sasl_group_role_mapping](ldap-sasl-variables.md#authentication_ldap_sasl_group_role_mapping) variable also adds the[authentication_ldap_sasl_bind_root_dn](ldap-sasl-variables.md#authentication_ldap_sasl_bind_root_dn) and [authentication_ldap_sasl_bind_root_pwd](ldap-sasl-variables.md#authentication_ldap_sasl_bind_root_pwd) variables. ## Examples @@ -271,8 +261,6 @@ If you installed either plugin at [server startup](#load-the-plugins-at-server-s mysql> UNINSTALL PLUGIN authentication_ldap_simple; ``` - If you used `SET_PERSIST`, use `RESET PERSIST` to remove the settings. - === "Uninstall the SASL-based LDAP authentication plugin" If you installed the plugins at [runtime](#load-the-sasl-based-ldap-authentication-plugin-at-runtime), run the following statements: diff --git a/docs/ldap-system-variables.md b/docs/ldap-sasl-variables.md similarity index 50% rename from docs/ldap-system-variables.md rename to docs/ldap-sasl-variables.md index 7e0f745cad8..b0dd62fa547 100644 --- a/docs/ldap-system-variables.md +++ b/docs/ldap-sasl-variables.md @@ -1,13 +1,9 @@ -# LDAP authentication plugin system variables +# LDAP SASL system variables ## Authentication system variables [Percona 8.0.30-22](release-notes/8.0.30-22.md) adds LDAP_SASL variables and the `fallback` server variables for simple LDAP and SASL-based LDAP. -!!! important - - --8<--- "tech.preview.md:5:5" - The installation adds the following variables: | Variable name | Description | @@ -29,23 +25,6 @@ The installation adds the following variables: | [authentication_ldap_sasl_ssl](#authentication_ldap_sasl_ssl) | If plugin connections to the LDAP server use the SSL protocol (ldaps://) | | [authentication_ldap_sasl_tls](#authentication_ldap_sasl_tls) | If plugin connections to the LDAP server are secured with STARTTLS (ldap://) | | [authentication_ldap_sasl_user_search_attr](#authentication_ldap_sasl_user_search_attr) | Name of the attribute that specifies user names in the LDAP directory entries | -| [authentication_ldap_simple_bind_base_dn](#authentication_ldap_simple_bind_base_dn) | Base distinguished name | -| [authentication_ldap_simple_bind_root_dn](#authentication_ldap_simple_bind_root_dn) | Root distinguished name | -| [authentication_ldap_simple_bind_root_dn_pwd](#authentication_ldap_simple_bind_root_pwd) | Password for the root distinguished name | -| [authentication_ldap_simple_ca_path](#authentication_ldap_simple_ca_path) | Absolute path of the certificate authority | -| [authentication_ldap_simple_fallback_server_host](#authentication_ldap_simple_fallback_server_host) | If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server | -| [authentication_ldap_simple_fallback_server_port](#authentication_ldap_simple_fallback_server_port) | The port number for the fallback server | -| [authentication_ldap_simple_group_role_mapping](#authentication_ldap_simple_group_role_mapping) | A list of LDAP group names - MySQL role pairs | -| [authentication_ldap_simple_group_search_attr](#authentication_ldap_simple_group_search_attr) | Name of the attribute that specifies the group names in the LDAP directory entries | -| [authentication_ldap_simple_group_search_filter](#authentication_ldap_simple_group_search_filter) | Custom group search filter | -| [authentication_ldap_simple_init_pool_size](#authentication_ldap_simple_init_pool_size) | Initial size of the connection pool to the LDAP server | -| [authentication_ldap_simple_log_status](#authentication_ldap_simple_log_status) | logging level | -| [authentication_ldap_simple_max_pool_size](#authentication_ldap_simple_max_pool_size) | Maximum size of the pool of connections to the LDAP server | -| [authentication_ldap_simple_server_host](#authentication_ldap_simple_server_host) | LDAP server host | -| [authentication_ldap_simple_server_port](#authentication_ldap_simple_server_port) | LDAP server TCP/IP port number | -| [authentication_ldap_simple_ssl](#authentication_ldap_simple_ssl) | If plugin connections to the LDAP server use the SSL protocol (ldaps://) | -| [authentication_ldap_simple_tls](#authentication_ldap_simple_tls) | If plugin connections to the LDAP server are secured with STARTTLS (ldap://) | -| [authentication_ldap_simple_user_search_attr](#authentication_ldap_simple_user_search_attr) | Name of the attribute that specifies user names in the LDAP directory entries | The following variables are described in detail: @@ -275,229 +254,4 @@ If this variable is enabled, the plugin connects to the server with TLS. The attribute name that specifies the user names in LDAP directory entries in SASL-based LDAP authentication. -### `authentication_ldap_simple_bind_base_dn` - -| Option | Description | -|--------------|-------------------------------------------------| -| Command-line | --authentication-ldap-simple-bind-base-dn=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | NULL | - -The base distinguished name (DN) for simple LDAP authentication. You can limit the search scope by using the variable as the base of the search. - -### `authentication_ldap_simple_bind_root_dn` - -| Option | Description | -|--------------|-------------------------------------------------| -| Command-line | --authentication-ldap-simple-bind-root-dn=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | NULL | - -The `root` distinguished name (DN) used to authenticate simple LDAP. When performing a search, this variable is used with -`authentication_ldap_simple_bind_root_pwd` as the authenticating credentials to the LDAP server. - -### `authentication_ldap_simple_bind_root_pwd` - -| Option | Description | -|--------------|--------------------------------------------------| -| Command-line | --authentication-ldap-simple-bind-root-pwd=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | NULL | - -The `root` password used to authenticate against simple LDAP server. This variable is used with -[`authentication_ldap_simple_bind_root_dn`](#authentication_ldap_simple_bind_root_dn). - -### `authentication_ldap_simple_ca_path` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-ca_path=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | NULL | - -The certificate authority’s absolute path used to verify the LDAP certificate. - -### `authentication_ldap_simple_fallback_server_host` - -| Option | Description | -|---|---| -| Command-line | --authentication-ldap-simple-fallback-server-host | -| Scope | Global | -| Dynamic | Yes | -| Type | Sting | -| Default | NULL | - -Use with [`authentication_ldap_simple_fallback_server_port`](#authentication_ldap_simple_fallback_server_port). - -If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server and authenticate using that server. - -### `authentication_ldap_simple_fallback_server_port` - -| Option | Description | -|---|---| -| Command-line | --authentication-ldap-simple-fallback-server-port | -| Scope | Global | -| Dynamic | Yes | -| Type | Integer | -| Default | NULL | - -Use with [`authentication_ldap_simple_fallback_server_host`](#authentication_ldap_simple_fallback_server_host). - -If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server and authenticate using that server. - -If the fallback server host has a value, and the fallback port is 0, users can specify multiple fallback servers. - -Use this format to specify multiple fallback servers: `authentication_ldap_simple_fallback_server_host="ldap(s)://host:port,ldap(s)://host2:port2`, for example. - -### `authentication_ldap_simple_group_role_mapping` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-group-role-mapping=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | Null | - -When an LDAP user logs in, the server checks if the LDAP user is a member of the specified group. If the user is, then the server automatically grants the database server roles to the user. - -The variable has this format: `=,=,`. - -### `authentication_ldap_simple_group_search_attr` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-group-search-attr=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | cn | - -The attribute name that specifies group names in the LDAP directory entries for simple LDAP authentication. - -### `authentication_ldap_simple_group_search_filter` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-group-search-filter=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | (\|(&(objectClass=posixGroup)(memberUid=%s))(&(objectClass=group)(member=%s))) | - -The custom group search filter for simple LDAP authentication. - -### `authentication_ldap_simple_init_pool_size` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-init-pool-size=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | Integer | -| Default | 10 | -| Minimum value | 0 | -| Maximum value | 32767 | -| Unit | connections | - -The initial size of the connection pool to the LDAP server for simple LDAP authentication. - -### `authentication_ldap_simple_log_status` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-log-status=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | Integer | -| Default | 1 | -| Minimum value | 1 | -| Maximum value | 6 | - -The logging level for messages written to the error log for simple LDAP authentication. - -### `authentication_ldap_simple_max_pool_size` - -| Option | Description | -|--------------|--------------------------------------------| -| Command-line | --authentication-ldap-simple-max-pool-size=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | Integer | -| Default | 1000 | -| Minimum value | 0 | -| Maximum value | 32767 | -| Unit | connections | - -The maximum connection pool size to the LDAP server in simple LDAP authentication. The variable is used with [`authentication_ldap_simple_init_pool_size`](#authentication_ldap_simple_init_pool_size). - -### `authentication_ldap_simple_server_host` - -| Option | Description | -|--------------|------------------------------------------------| -| Command-line | --authentication-ldap-simple-server-host=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | NULL | - -The LDAP server host used for simple LDAP authentication. The LDAP server host can be an IP address or a host name. - -### `authentication_ldap_simple_server_port` - -| Option | Description | -|--------------|------------------------------------------------| -| Command-line | --authentication-ldap-simple-server-port=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | Integer | -| Default | 389 | -| Minimum value | 1 | -| Maximum value | 32376 | - -The LDAP server TCP/IP port number used for simple LDAP authentication. - -### `authentication_ldap_simple_ssl` - -| Option | Description | -|--------------|----------------------------------------| -| Command-line | --authentication-ldap-simple-ssl=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | Boolean | -| Default | OFF | - -If this variable is enabled, the plugin connects to the server with SSL. - -### `authentication_ldap_simple_tls` - -| Option | Description | -|--------------|----------------------------------------| -| Command-line | --authentication-ldap-simple-tls=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | Boolean | -| Default | OFF | - -If this variable is enabled, the plugin connects to the server with TLS. - -### `authentication_ldap_simple_user_search_attr` - -| Option | Description | -|--------------|----------------------------------------| -| Command-line | --authentication-ldap-simple-user-search-attr=value | -| Scope | Global | -| Dynamic | Yes | -| Data type | String | -| Default | uid | - -The attribute name that specifies the user names in LDAP directory entries in simple LDAP authentication. - +For more details, see the [LDAP Authentication documentation](ldap-authentication.md). \ No newline at end of file diff --git a/docs/ldap-simple-variables.md b/docs/ldap-simple-variables.md new file mode 100644 index 00000000000..8469b8671d8 --- /dev/null +++ b/docs/ldap-simple-variables.md @@ -0,0 +1,243 @@ +# LDAP Simple system variables + +The following variables are static. These variables can only be modified by restarting the server with a new value set in the configuration file (for example, my.cnf or my.ini) or passed as a command-line option when starting the server. + +| Name | +|-----------------------------------------------------------| +| [authentication_ldap_simple_bind_base_dn](#authentication_ldap_simple_bind_base_dn) | +| [authentication_ldap_simple_bind_root_dn](#authentication_ldap_simple_bind_root_dn) | +| [authentication_ldap_simple_bind_root_pwd](#authentication_ldap_simple_bind_root_pwd) | +| [authentication_ldap_simple_ca_path](#authentication_ldap_simple_ca_path) | +| [authentication_ldap_simple_fallback_server_host](#authentication_ldap_simple_fallback_server_host)| +| [authentication_ldap_simple_fallback_server_port](#authentication_ldap_simple_fallback_server_port)| +| [authentication_ldap_simple_group_role_mapping](#authentication_ldap_simple_group_role_mapping) | +| [authentication_ldap_simple_group_search_attr](#authentication_ldap_simple_group_search_attr) | +| [authentication_ldap_simple_group_search_filter](#authentication_ldap_simple_group_search_filter) | +| [authentication_ldap_simple_init_pool_size](#authentication_ldap_simple_init_pool_size) | +| [authentication_ldap_simple_log_status](#authentication_ldap_simple_log_status) | +| [authentication_ldap_simple_max_pool_size](#authentication_ldap_simple_max_pool_size) | +| [authentication_ldap_simple_server_host](#authentication_ldap_simple_server_host) | +| [authentication_ldap_simple_server_port](#authentication_ldap_simple_server_port) | +| [authentication_ldap_simple_ssl](#authentication_ldap_simple_ssl) | +| [authentication_ldap_simple_tls](#authentication_ldap_simple_tls) | +| [authentication_ldap_simple_user_search_attr](#authentication_ldap_simple_user_search_attr) | + +### `authentication_ldap_simple_bind_base_dn` + +| Option | Details | +|-----------------------|----------------| +| Command-line | `--authentication-ldap-simple-bind-base-dn` | +| Scope | global | +| Dynamic | Yes | +| Data Type | String | +| Default | NULL | + + +This variable sets the base Distinguished Name (DN) for binding to the LDAP server during simple LDAP authentication. + +Setting this value correctly is crucial for security. Incorrect values can cause authentication failures or security risks. + +### `authentication_ldap_simple_bind_root_dn` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-bind-root-dn=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | NULL | + + +Percona Server for MySQL uses a root Distinguished Name (DN) to connect to the LDAP server for simple LDAP authentication. This variable is used with [authentication_ldap_simple_bind_root_pwd](#authentication_ldap_simple_bind_root_pwd). This root DN, along with the root password, is used to authenticate with the LDAP server and obtain a connection. + +* If the MySQL account does not specify an LDAP user DN: + + * MySQL first authenticates to the LDAP server using the provided root DN and password. + + * Then, it searches the LDAP directory for the user DN corresponding to the MySQL user's name. + + * Finally, MySQL attempts to authenticate using the found user DN and the password provided by the MySQL user. + +If the MySQL account specifies an LDAP user DN: + + * MySQL directly authenticates to the LDAP server using the provided user DN and the password supplied by the MySQL user. + + * This method is faster as it avoids the initial authentication step with the root DN. + +### `authentication_ldap_simple_bind_root_pwd` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-bind-root-pwd=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | NULL | + +The `root` password used to authenticate against an LDAP. This variable is used with [`authentication_ldap_simple_bind_root_dn`](#authentication_ldap_simple_bind_root_dn). + + +### `authentication_ldap_simple_ca_path` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-ca_path=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | Null | + +This variable specifies the absolute path to the Certificate Authority (CA) file for LDAP Simple authentication. This variable allows the authentication plugin to verify the LDAP server certificate, enhancing security. + + +### `authentication_ldap_simple_fallback_server_port` + +| Option | Description | +|---|---| +| Command-line | --authentication-ldap-simple-fallback-server-port | +| Scope | Global | +| Dynamic | Yes | +| Type | Integer | +| Default | NULL | + +Use with [`authentication_ldap_simple_fallback_server_host`](#authentication_ldap_simple_fallback_server_host). + +If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server and authenticate using that server. + +If the fallback server host has a value, and the fallback port is 0, users can specify multiple fallback servers. + +Use this format to specify multiple fallback servers: `authentication_ldap_simple_fallback_server_host="ldap(s)://host:port,ldap(s)://host2:port2`, for example. + +### `authentication_ldap_simple_group_role_mapping` + +| Option | Description | +|--------------|--------------------------------------------| +| Command-line | --authentication-ldap-simple-group-role-mapping=value | +| Scope | Global | +| Dynamic | Yes | +| Data type | String | +| Default | Null | + +When an LDAP user logs in, the server checks if the LDAP user is a member of the specified group. If the user is, then the server automatically grants the database server roles to the user. + +The variable has this format: `=,=,`. + +### `authentication_ldap_simple_group_search_attr` + +| Option | Description | +|--------------|--------------------------------------------| +| Command-line | --authentication-ldap-simple-group-search-attr=value | +| Scope | Global | +| Dynamic | Yes | +| Data type | String | +| Default | cn | + +The attribute name that specifies group names in the LDAP directory entries for simple LDAP authentication. + +### `authentication_ldap_simple_group_search_filter` + +| Option | Description | +|--------------|--------------------------------------------| +| Command-line | --authentication-ldap-simple-group-search-filter=value | +| Scope | Global | +| Dynamic | Yes | +| Data type | String | +| Default | (\|(&(objectClass=posixGroup)(memberUid=%s))(&(objectClass=group)(member=%s))) | + +The custom group search filter for simple LDAP authentication. + +### `authentication_ldap_simple_init_pool_size` + +| Option | Description | +|--------------|--------------------------------------------| +| Command-line | --authentication-ldap-simple-init-pool-size=value | +| Scope | Global | +| Dynamic | Yes | +| Data type | Integer | +| Default | 10 | +| Minimum value | 0 | +| Maximum value | 32767 | +| Unit | connections | + +The initial size of the connection pool to the LDAP server for simple LDAP authentication. + +### `authentication_ldap_simple_log_status` + +| Option | Description | +|--------------|--------------------------------------------| +| Command-line | --authentication-ldap-simple-log-status=value | +| Scope | Global | +| Dynamic | Yes | +| Data type | Integer | +| Default | 1 | +| Minimum value | 1 | +| Maximum value | 6 | + +The logging level for messages written to the error log for simple LDAP authentication. + +### `authentication_ldap_simple_max_pool_size` + +| Option | Description | +|--------------|--------------------------------------------| +| Command-line | --authentication-ldap-simple-max-pool-size=value | +| Scope | Global | +| Dynamic | Yes | +| Data type | Integer | +| Default | 1000 | +| Minimum value | 0 | +| Maximum value | 32767 | +| Unit | connections | + +The maximum connection pool size to the LDAP server in simple LDAP authentication. The variable is used with [`authentication_ldap_simple_init_pool_size`](#authentication_ldap_simple_init_pool_size). + +### `authentication_ldap_simple_server_host` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-server-host=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | Null | + +The LDAP server host used for LDAP authentication. + + +### `authentication_ldap_simple_server_port` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-server-port=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | Null | + +The LDAP server TCP/IP port number used for LDAP authentication. + + +### `authentication_ldap_simple_ssl` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-ssl=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | Null | + +If this variable is enabled, the plugin connects to the server with SSL. + +### `authentication_ldap_simple_tls` + +| **Option** | **Description** | +|---------------------|-------------------------------------------------| +| Command-line | `--authentication-ldap-simple-tls=value` | +| Scope | Global | +| Dynamic | No | +| Data type | String | +| Default | Null | + +If this variable is enabled, the plugin connects to the server with TLS. + +For more details, see the [LDAP Authentication documentation](ldap-authentication.md). \ No newline at end of file diff --git a/mkdocs-base.yml b/mkdocs-base.yml index c678158ce94..4edfc835436 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -295,7 +295,8 @@ nav: - Secure: - LDAP features: - ldap-authentication.md - - ldap-system-variables.md + - ldap-sasl-variables.md + - ldap-simple-variables.md - Data masking: - data-masking-overview.md - data-masking-comparison.md