~drizzle-trunk/drizzle/development

« back to all changes in this revision

Viewing changes to plugin/auth_ldap/docs/index.rst

Committer: Mark Atwood
Date: 2011-11-22 17:04:41 UTC
mfrom: (2462.1.3 drizzle-include)
Revision ID: me@mark.atwood.name-20111122170441-5dehm0e0ax20z19b

merge lp:~brianaker/drizzle/fedora-16-fixes

files added:
drizzled/query_id.cc

drizzled/query_id.h

files removed:
bootstrap.sh

libdrizzle-1.0/t

libdrizzle-1.0/t/c_test.c

libdrizzle-1.0/t/client_server.c

libdrizzle-1.0/t/common.h

libdrizzle-1.0/t/drizzle_column_st.c

libdrizzle-1.0/t/drizzle_con_st.c

libdrizzle-1.0/t/drizzle_query_st.c

libdrizzle-1.0/t/drizzle_result_st.c

libdrizzle-1.0/t/drizzle_st.c

libdrizzle-1.0/t/include.am

libdrizzle-2.0/command.h

libdrizzle-2.0/deprecated_enum.h

libdrizzle-2.0/limits.h

libdrizzle-2.0/return.h

libdrizzle-2.0/verbose.h

files renamed:
libdrizzle/column.cc => libdrizzle-1.0/column.c

libdrizzle/command.cc => libdrizzle-1.0/command.c

libdrizzle/conn.cc => libdrizzle-1.0/conn.c

libdrizzle/conn_uds.cc => libdrizzle-1.0/conn_uds.c

libdrizzle/drizzle.cc => libdrizzle-1.0/drizzle.c

libdrizzle/field.cc => libdrizzle-1.0/field.c

libdrizzle/handshake.cc => libdrizzle-1.0/handshake.c

libdrizzle/mysql_password_hash.cc => libdrizzle-1.0/mysql_password_hash.cc

libdrizzle/pack.cc => libdrizzle-1.0/pack.c

libdrizzle/query.cc => libdrizzle-1.0/query.c

libdrizzle/result.cc => libdrizzle-1.0/result.c

libdrizzle/row.cc => libdrizzle-1.0/row.c

libdrizzle/sha1.cc => libdrizzle-1.0/sha1.c

libdrizzle/state.cc => libdrizzle-1.0/state.c

files modified:
.bzrignore

client/drizzle.cc

client/drizzledump_data.cc

client/drizzledump_data.h

client/drizzleimport.cc

client/drizzleslap.cc

client/include.am

docs/information_schema.rst

docs/libdrizzle/constants.rst

drizzled/drizzled.cc

drizzled/function/get_system_var.cc

drizzled/include.am

drizzled/internal/m_string.h

drizzled/show.cc

drizzled/sql_parse.cc

drizzled/sys_var.h

examples/client.cc

examples/pipe_query.cc

examples/proxy.cc

examples/server.cc

examples/simple_multi.cc

examples/sqlite_server.cc

libdrizzle-1.0/column.h

libdrizzle-1.0/command_client.h

libdrizzle-1.0/command_server.h

libdrizzle-1.0/common.h

libdrizzle-1.0/constants.h

libdrizzle-1.0/include.am

libdrizzle-1.0/query.h

libdrizzle-1.0/result.h

libdrizzle-1.0/structs.h

libdrizzle-1.0/visibility.h

libdrizzle-2.0/column.cc

libdrizzle-2.0/conn.cc

libdrizzle-2.0/constants.h

libdrizzle-2.0/drizzle.cc

libdrizzle-2.0/drizzle.h

libdrizzle-2.0/drizzle_client.h

libdrizzle-2.0/drizzle_server.h

libdrizzle-2.0/handshake.cc

libdrizzle-2.0/include.am

libdrizzle-2.0/libdrizzle.hpp

libdrizzle-2.0/query.cc

libdrizzle-2.0/query.h

libdrizzle-2.0/result.cc

libdrizzle-2.0/result.h

libdrizzle-2.0/row.cc

libdrizzle-2.0/structs.h

libdrizzle/include.am

plugin/auth_ldap/auth_ldap.cc

plugin/auth_ldap/docs/index.rst

plugin/auth_ldap/plugin.ini

plugin/auth_ldap/schema/drizzle_create_ldap_user

plugin/auth_ldap/test_ldap.sh

plugin/auth_schema/module.cc

plugin/mysql_protocol/mysql_protocol.cc

plugin/slave/queue_producer.cc

plugin/slave/queue_producer.h

plugin/transaction_log/utilities/transaction_log_connection.cc

plugin/transaction_log/utilities/transaction_log_connection.h

support-files/include.am

tests/include/analyze_failure_sync_with_master.test

tests/include/grant_cache.inc

tests/include/master-slave-reset.inc

tests/include/master-slave.inc

tests/include/wait_slave_status.inc

tests/randgen/gentest.pl

tests/randgen/runall.pl

tests/randgen/simpipe-crash.pl

tests/randgen/simpipe.pl

Show diffs side-by-side

added added

removed removed

plugin/auth_ldap/docs/index.rst

using an :abbr:`LDAP (Lightweight Directory Access Protocol)` server. An

LDAP server is required to provide authentication.

Note that a typical use case for using LDAP based authentication, and the

intention with this module, is to be able to consolidate your Drizzle usernames

and passwords in cases where you are already using LDAP in your organization

(such as for Linux or Windows or other system passwords).

If you are not currently using LDAP for any kind of authentication, you should

be aware that this is not the simplest authentication method available. For other

alternatives for managing Drizzle users and passwords, see

:doc:`/administration/authentication`. A simple authentication module, whose

behavior will be familiar to those familiar with MySQL and its method for

storing usernames and passwords, is the :doc:`/plugins/auth_schema/index` plugin.

.. note::

Unload the :doc:`/plugins/auth_all/index` plugin before using this plugin.

--plugin-add=auth_ldap

Or, to disable the ability to login without a password, use::

--plugin-add=auth_pam --plugin-remove=auth_all

Just loading this plugin will not enable or configure it. To actually bind to an

LDAP directory you also need to configure it. See the plugin's

Loading the plugin may not enable or configure it. See the plugin's

:ref:`auth_ldap_configuration` and :ref:`auth_ldap_variables`.

.. seealso:: :ref:`drizzled_plugin_options` for more information about adding and removing plugins.

DN to use when searching.

Drizzle uses the ``LDAP_SCOPE_ONELEVEL`` option when searching the LDAP

directory. This means you must specify the full base-dn. For instance, if

you have users defined in the dn ``ou=people,dn=example,dn=com`` authentication

will fail if you only specify ``dn=example,dn=com``. (See

:ref:`auth_ldap_limitations`)

.. option:: --auth-ldap.bind-dn ARG

.. option:: --auth-ldap.bind-db ARG

:Default:

:Variable: :ref:`auth_ldap_bind_dn <auth_ldap_bind_dn>`

DN to use when binding to the LDAP server.

Until Drizzle 2011.11.29 (a Drizzle 7.1 beta release) this option was mistakenly

called ``bind-db``. Starting with release 2011.12.30 that option will no longer

work, the correct option is ``bind-dn``. (The corresponding variable was

always ref:`auth_ldap_bind_dn <auth_ldap_bind_dn>` and is unchanged.)

.. option:: --auth-ldap.bind-password ARG

:Default:

:Variable: :ref:`auth_ldap_bind_password <auth_ldap_bind_password>`

Password to use when binding the DN, ie. your LDAP admin password.

Password to use when binding the DN.

.. option:: --auth-ldap.cache-timeout ARG

:Default: ``600``

:Default: ``0``

:Variable: :ref:`auth_ldap_cache_timeout <auth_ldap_cache_timeout>`

How often to empty the users cache. The default is 10 minutes.

A value of 0 means never: if a user has once connected to Drizzle, his

credentials will then be cached until the next restart. Any changes to the

100

LDAP directory, such as changing the password, would not be visible in

101

drizzled as long as it wasn't restarted.

How often to empty the users cache, 0 to disable.

102

103

.. option:: --auth-ldap.mysql-password-attribute ARG

104

105

:Default: ``drizzleMysqlUserPassword``

:Default: ``mysqlUserPassword``

106

:Variable: :ref:`auth_ldap_mysql_password_attribute <auth_ldap_mysql_password_attribute>`

107

108

Attribute in LDAP with MySQL hashed password.

109

110

Until Drizzle 2011.11.29 (a Drizzle 7.1 beta release) the default value of this

111

option was ``mysqlUserPassword``. Beginning with release 2011.12.30

112

it was changed to ``drizzleMysqlUserPassword`` to match the provided

113

openldap ldif schema.

114

115

.. option:: --auth-ldap.password-attribute ARG

116

117

:Default: ``userPassword``

150

111

151

112

:Scope: Global

152

113

:Dynamic: No

153

:Option: :option:`--auth-ldap.bind-dn`

114

:Option: :option:`--auth-ldap.bind-db`

154

115

155

116

DN to use when binding to the LDAP server.

156

117

164

125

165

126

Password to use when binding the DN.

166

127

167

Note: This variable existed until Drizzle 2011.11.29, in particular it was part

168

of the Drizzle 7 stable release. For security reasons this variable has been

169

removed in Drizzle release 2011.12.30, a Drizzle 7.1 beta release. There was

170

no valid reason to expose your LDAP admin password to every Drizzle user.

171

172

128

.. _auth_ldap_cache_timeout:

173

129

174

130

* ``auth_ldap_cache_timeout``

214

170

Examples

215

171

--------

216

172

217

Setting up an LDAP directory

218

^^^^^^^^^^^^^^^^^^^^^^^^^^^^

219

220

Using and configuring an LDAP server is outside the scope of this manual, but

221

for the purpose of showing some examples we need an LDAP server to connect to.

222

Below are some minimal steps you need to do to have in place first.

223

224

The following example was tried on Ubuntu Linux, version 11.04 natty. Some

225

earlier versions of Ubuntu require more steps to configure your empty LDAP

226

directory, see `this Ubuntu tutorial for more detailed

227

instructions <http://https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html>`_

228

and similarly see tutorials for your own Linux distribution if those do not work

229

for you.

230

231

To install OpenLDAP:

232

233

.. code-block:: bash

234

235

sudo apt-get install slapd ldap-utils

236

237

The installation asks you to provide an administrator password. In this example

238

we've used `secret`.

239

240

Copy the following text into a file backend.example.com.ldif [1]_:

241

242

.. code-block:: none

243

244

# Load dynamic backend modules

245

dn: cn=module,cn=config

246

objectClass: olcModuleList

247

cn: module

248

olcModulepath: /usr/lib/ldap

249

olcModuleload: back_hdb.la

250

251

# Database settings

252

dn: olcDatabase=hdb,cn=config

253

objectClass: olcDatabaseConfig

254

objectClass: olcHdbConfig

255

olcDatabase: {1}hdb

256

olcSuffix: dc=example,dc=com

257

olcDbDirectory: /var/lib/ldap

258

olcRootDN: cn=admin,dc=example,dc=com

259

olcRootPW: secret

260

olcDbConfig: set_cachesize 0 2097152 0

261

olcDbConfig: set_lk_max_objects 1500

262

olcDbConfig: set_lk_max_locks 1500

263

olcDbConfig: set_lk_max_lockers 1500

264

olcDbIndex: objectClass eq

265

olcLastMod: TRUE

266

olcDbCheckpoint: 512 30

267

olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none

268

olcAccess: to attrs=shadowLastChange by self write by * read

269

olcAccess: to dn.base="" by * read

270

olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

271

272

Copy the following text into a file frontend.example.com.ldif:

273

274

.. code-block:: none

275

276

# Create top-level object in domain

277

dn: dc=example,dc=com

278

objectClass: top

279

objectClass: dcObject

280

objectclass: organization

281

o: Example Organization

282

dc: Example

283

description: LDAP Example

284

285

# Admin user.

286

dn: cn=admin,dc=example,dc=com

287

objectClass: simpleSecurityObject

288

objectClass: organizationalRole

289

cn: admin

290

description: LDAP administrator

291

userPassword: secret

292

293

dn: ou=people,dc=example,dc=com

294

objectClass: organizationalUnit

295

ou: people

296

297

dn: ou=groups,dc=example,dc=com

298

objectClass: organizationalUnit

299

ou: groups

300

301

dn: uid=john,ou=people,dc=example,dc=com

302

objectClass: inetOrgPerson

303

objectClass: posixAccount

304

objectClass: shadowAccount

305

uid: john

306

sn: Doe

307

givenName: John

308

cn: John Doe

309

displayName: John Doe

310

uidNumber: 1000

311

gidNumber: 10000

312

userPassword: password

313

gecos: John Doe

314

loginShell: /bin/bash

315

homeDirectory: /home/john

316

shadowExpire: -1

317

shadowFlag: 0

318

shadowWarning: 7

319

shadowMin: 8

320

shadowMax: 999999

321

shadowLastChange: 10877

322

mail: john.doe@example.com

323

postalCode: 31000

324

l: Toulouse

325

o: Example

326

mobile: +33 (0)6 xx xx xx xx

327

homePhone: +33 (0)5 xx xx xx xx

328

title: System Administrator

329

postalAddress:

330

initials: JD

331

332

dn: cn=example,ou=groups,dc=example,dc=com

333

objectClass: posixGroup

334

cn: example

335

gidNumber: 10000

336

337

Now we create our database and settings, along with the standard

338

"inetOrgPerson" LDAP schema:

339

340

.. code-block:: none

341

342

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif

343

SASL/EXTERNAL authentication started

344

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

345

SASL SSF: 0

346

adding new entry "cn=module,cn=config"

347

348

adding new entry "olcDatabase=hdb,cn=config"

349

350

$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif

351

Enter LDAP Password: secret

352

adding new entry "dc=example,dc=com"

353

354

adding new entry "cn=admin,dc=example,dc=com"

355

356

adding new entry "ou=people,dc=example,dc=com"

357

358

adding new entry "ou=groups,dc=example,dc=com"

359

360

adding new entry "uid=john,ou=people,dc=example,dc=com"

361

362

adding new entry "cn=example,ou=groups,dc=example,dc=com"

363

364

In the above we first created the database and defined a method to access it.

365

As you see, in the second ldapadd command we now need to provide the admin

366

password `secret` to do further changes, and will need to use it in all further

367

commands too.

368

369

The second command creates a classic `inetOrgPerson` schema, with a user

370

"John Doe" (Common Name) who has a uid "john" and various other information

371

commonly part of a UNIX system account. In fact the LDAP object type is called

372

posixAccount! User john is part of the Organizational Unit "people" in the

373

domain example.com.

374

375

You can verify that everything is working so far by searching for John:

376

377

.. code-block:: none

378

379

$ ldapsearch -xLLL -b "ou=people,dc=example,dc=com" uid=john

380

dn: uid=john,ou=people,dc=example,dc=com

381

objectClass: inetOrgPerson

382

objectClass: posixAccount

383

objectClass: shadowAccount

384

uid: john

385

sn: Doe

386

givenName: John

387

cn: John Doe

388

displayName: John Doe

389

uidNumber: 1000

390

gidNumber: 10000

391

gecos: John Doe

392

loginShell: /bin/bash

393

homeDirectory: /home/john

394

shadowExpire: -1

395

shadowFlag: 0

396

shadowWarning: 7

397

shadowMin: 8

398

shadowMax: 999999

399

shadowLastChange: 10877

400

mail: john.doe@example.com

401

postalCode: 31000

402

l: Toulouse

403

o: Example

404

mobile: +33 (0)6 xx xx xx xx

405

homePhone: +33 (0)5 xx xx xx xx

406

title: System Administrator

407

postalAddress:

408

initials: JD

409

410

If you look closely you see that the userPassword field is not shown. Don't

411

worry! It is stored in the directory, it is just not shown in search results for

412

security reasons.

413

414

.. _auth_ldap_examples_add_user:

415

416

Adding a Drizzle user to LDAP

417

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

418

419

You could just setup Drizzle to authenticate against standard LDAP accounts like

420

John Doe above. But the recommended way is to add a specific Drizzle schema.

421

You will find this in ``$DRIZZLE_ROOT/share/drizzle7/drizzle_openldap.ldif``.

422

You can add it to your LDAP schema like this:

423

424

.. code-block:: none

425

426

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f share/drizzle7/drizzle_openldap.ldif

427

SASL/EXTERNAL authentication started

428

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

429

SASL SSF: 0

430

adding new entry "cn=drizzle,cn=schema,cn=config"

431

432

Now we can add a Drizzle user to our directory. At this point we will need to

433

store the users Drizzle password. Note that Drizzle, just like MySQL, will

434

prefer to store and use a doubly hashed version of the user password. Other

435

Drizzle authentication plugins, like auth_schema, do the same. (But some plugins

436

do not and Drizzle can use either, since it supports two different

437

authentication protocols for this purpose).

438

439

Drizzle 7.1 ships with a nice utility to calculate those hashes called

440

``drizzle_password_hash``. You simply give it the password and it outputs

441

the doubly hashed string:

442

443

.. code-block:: none

444

445

$ bin/drizzle_password_hash secret

446

14E65567ABDB5135D0CFD9A70B3032C179A49EE7

447

448

We will use this utility when creating the LDAP entry for our Drizzle user.

449

450

Note that the above value is different from what the LDAP directory as the

451

userPassword entry. The Unix or Posix way to store passwords is to just hash

452

them once. You can have a look in your ``/etc/shadow`` file to see what they

453

look like. Anyway, for this reason our Drizzle schema that we just added has

454

an additional field ``drizzleUserPassword`` to store the Drizzle encoded form

455

of the same password. (Or the passwords can also be different, but we will

456

assume most people like to use the same password.)

457

458

Since Drizzle 7.1 there is also a nice helper script included to create the ldif

459

records you need to add new Drizzle users to your LDAP. Using this script is

460

of course voluntary and you can use any LDAP manager tool you want. But we will

461

use it for this tutorial.

462

463

Let's create the user hingo:

464

465

.. code-block:: none

466

467

$ share/drizzle7/drizzle_create_ldap_user -p secret -b bin/drizzle_password_hash -u hingo -n 1 -l "ou=people,dc=example,dc=com" > hingo.example.com.ldif

468

$ cat hingo.example.com.ldif

469

dn: uid=hingo,ou=people,dc=example,dc=com

470

objectclass: top

471

objectclass: posixAccount

472

objectclass: account

473

objectclass: drizzleUser

474

drizzleUserMysqlPassword: 14E65567ABDB5135D0CFD9A70B3032C179A49EE7

475

uidNumber: 500

476

gidNumber: 500

477

uid: hingo

478

homeDirectory: /home/hingo

479

loginshell: /sbin/nologin

480

userPassword: secret

481

cn: hingo

482

483

If you want, you could use this as a template to further edit the entry.

484

Drizzle will only care about the `drizzleUserMySQLPassword`, `uid` and sometimes

485

(at your option) the `userPassword`. So you can freely edit the rest of the

486

entries to suit you. For instance if this user will also be a user on your Linux

487

system, make sure to set the loginshell to ``/bin/bash`` and check the uid and

488

gid numbers. The ``cn`` field is often used to store the full name of the person,

489

like "Henrik Ingo". (But this is not used by Drizzle.)

490

491

We now add the above user to the directory:

492

493

.. code-block:: none

494

495

$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f hingo.example.com.ldif

496

Enter LDAP Password:

497

adding new entry "uid=hingo,ou=people,dc=example,dc=com"

498

499

.. _auth_ldap_examples_start_server:

500

501

Starting Drizzle Server and binding to the LDAP server

502

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

503

504

It is now time to start the Drizzle server with the needed options so that we

505

can use the LDAP directory for authentication services:

506

507

.. code-block:: none

508

509

$ sbin/drizzled --plugin-remove=auth_all

510

--plugin-add=auth_ldap

511

--auth-ldap.bind-password=secret

512

--auth-ldap.bind-dn="cn=admin,dc=example,dc=com"

513

--auth-ldap.base-dn="ou=people,dc=example,dc=com"

514

515

`(Give all options on one line.)`

516

517

``bind-password`` and ``bind-dn`` are used by drizzled to bind to the LDAP

518

server. ``base-dn`` is the DN where our Drizzle users are stored.

519

520

.. _auth_ldap_examples_connect:

521

522

Connecting to Drizzle with the client

523

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

524

525

We can now use a username and password from the LDAP directory when connecting

526

to Drizzle:

527

528

.. code-block:: none

529

530

$ bin/drizzle --user=hingo --password

531

Enter password:

532

Welcome to the Drizzle client.. Commands end with ; or \g.

533

Your Drizzle connection id is 2

534

Connection protocol: mysql

535

Server version: 2011.10.28.2459 Source distribution (drizzle-auth_ldap-fix-and-docs)

536

537

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

538

539

drizzle>

540

541

.. _auth_ldap_examples_connect_clear_password:

542

543

Using the userPassword system password with Drizzle

544

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

545

546

It is also possible to use the password from the userPassword field when

547

connecting with Drizzle. This could be beneficial or necessary to allow

548

all users who already exist in the directory, but didn't have a

549

drizzleUserPassword set for them, to connect to Drizzle.

550

551

To do this, you have to give the extra option ``--protocol mysql-plugin-auth``

552

to the drizzle client. This will tell the drizzle client to send the password

553

in cleartext to the server, using the MySQL old-password protocol.

554

555

We could use this to connect to Drizzle with the username john, that

556

we added in the beginning of this tutorial.

557

558

.. code-block:: none

559

560

$ drizzle --password --protocol mysql-plugin-auth --user=john

561

Enter password:

562

Welcome to the Drizzle client.. Commands end with ; or \g.

563

Your Drizzle connection id is 2

564

Connection protocol: mysql-plugin-auth

565

Server version: 2011.10.28.2459 Source distribution (drizzle-auth_ldap-fix-and-docs)

566

567

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

568

569

drizzle>

570

571

.. note::

572

573

Using cleartext passwords is **not recommended**. Please note that

574

the connection between drizzle client and drizzled server is completely

575

unencrypted, so other people on your network could easily find out the

576

password if this method is used.

577

578

579

.. _auth_ldap_limitations:

580

581

Limitations

582

-----------

583

584

The option ``LDAP_SCOPE_ONELEVEL`` option is used when searching the LDAP

585

directory. This means you must specify the full base-dn. For instance, if

586

you have users defined in the dn ``ou=people,dn=example,dn=com`` authentication

587

will fail if you only specify ``dn=example,dn=com``. A consequence of this is

588

that all your Drizzle users must belong to the same LDAP organizationalUnit.

589

590

This is currently a fixed option and can only be changed by editing source code.

591

However, there is no reason why it couldn't be a configurable option to also

592

allow multi level searches. Please contact the Drizzle developers if you have

593

such needs. (See :doc:`/help`)

594

173

Sorry, there are no examples for this plugin.

595

174

596

175

.. _auth_ldap_authors:

597

176

598

177

Authors

599

178

-------

600

179

601

:Code: Eric Day, Edward "Koko" Konetzko, Henrik Ingo

602

:Documentation: Henrik Ingo

180

Eric Day

603

181

604

182

.. _auth_ldap_version:

605

183

606

184

Version

607

185

-------

608

186

609

This documentation applies to **auth_ldap 0.2**.

187

This documentation applies to **auth_ldap 0.1**.

610

188

611

189

To see which version of the plugin a Drizzle server is running, execute:

612

190

617

195

Changelog

618

196

---------

619

197

620

v0.2

621

^^^^

622

* Add proper documentation.

623

* Fix various bugs found while documenting, including:

624

* drizzle_create_ldap_user would append a counter at the end of each username, such as hingo0. Now it's just the username.

625

* LDAP directory is now searched for uid field, not cn.

626

* Change default value of --auth-ldap.mysql-password-attribute to drizzleMysqlUserPassword.

627

* --auth-ldap.bind-db was changed to --auth-ldap.bind-dn

628

* Variable auth_ldap_bind_password is no longer shown in SHOW VARIABLES.

629

630

631

198

v0.1

632

199

^^^^

633

200

* First release.

634

635

.. [1] Configuration scripts courtesy of `Ubuntu OpenLDAP server tutorial <https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html>`_

b'\\ No newline at end of file'

Older »