MySQL Enterprise Monitor 8.0.17 Manual

14.7 External Authentication

Table 14.3 External Authentication

Name Description

Disabled

No external authentication system is used. All user authentication is performed in MySQL Enterprise Monitor.

LDAP Authentication

Enables the LDAP configuration. Populate the fields as required by your LDAP installation.

Active Directory Authentication

Enables the Active Directory configuration. Populate the fields as required by your Active Directory installation.

Is Authoritative

To make the selected authentication system the authoritative authentication mechanism, check Is Authoritative.

Important

If you select this option, and the LDAP service is misconfigured, you can lock yourself out of MySQL Enterprise Monitor entirely.


External Authentication

Enables you to configure external authentication using LDAP or Active Directory.

Figure 14.6 External Authentication Settings: LDAP

Content is described in the surrounding text.

Table 14.4 LDAP Authentication

Name Description

Primary Server Hostname and Port Number

Hostname or IP address of the primary LDAP directory server, and the Port number of the primary LDAP server. You must change this option to the port used for SSL connections if you have enabled encryption.

Secondary Server Hostname and Port Number

Hostname or IP address of the secondary LDAP directory server. Port number of the secondary LDAP server. You must change this option to the port used for SSL connections if you have enabled encryption.

Connect Timeout (seconds)

Time elapsed without establishing a connection to the LDAP server. If a connection is not established within the defined number of seconds, an error is returned.

Read Timeout (seconds)

Time elapsed without a response to a request for data from the LDAP server. If no response is received within the defined number of seconds, an error is returned.

Encryption

Encryption type required for communication with the LDAP server(s). Supported options are None, StartTLS, and SSL.

Referrals

Authentication follows the referrals provided by the server. The default is to use whatever the LDAP directory server is configured to do.

External Authentication Server Allows Anonymous Binds

Optionally allow Anonymous binds. When unchecked, MySQL Enterprise Monitor provides for a pre-auth bind user to lookup account records. For Active Directory, the most common user account attribute is sAMAccountName, whereas it is common for Unix-based LDAP to use CN. If the Active Directory server is not configured to honor CN binds, it cannot fetch credentials.

Authentication Mode

The authentication mode to use.

  • Bind as User: binds to the LDAP directory using the credentials given to login to MySQL Enterprise Service Manager

  • Comparison: requires an LDAP login/password that can see the configured password attribute to make a comparison with the given credentials.

User Full Name Attribute Name

Define the user fullname attribute. This enables the system to return the fullname of the user.

Search by User Distinguished Name (DN) Pattern

In the User Search Patternfield, define the pattern specifying the LDAP search filter to use after substitution of the username, where {0} defines where the username should be substituted for the DN.

Search by User Attribute Pattern

In the User Search Base (leave blank for top level) field, define the value to use as the base of the subtree containing users. If not specified, the search base is the top-level context.

To search the entire subtree, starting at the User Search Base Entry, enable Search entire subtree. If disabled, a single-level search is performed, including only the top level. To include nested roles in the search, enable Search Nested Roles.

User Search Attribute Pattern

The attribute pattern to use in user searches.

Map External Roles to Application Roles

Specifies whether the roles defined in LDAP should map to MySQL Enterprise Monitor application roles. If enabled, and LDAP is not configured to be authoritative, if a user authenticates successfully via LDAP and has a valid mapped role, they are granted permissions to the application. Roles are mapped according to the entries in the Application Role/LDAP Role(s) fields, which take comma-separated lists of LDAP roles to map to the given MySQL Enterprise Monitor roles. If you select this option, additional fields are displayed which enable you to configure how roles are found in the LDAP server.


Active Directory Authentication

Enables you to configure Active Directory authentication.

Table 14.5 Active Directory Authentication

Name Description

Domain

The Active Directory Domain.

Primary Server Hostname

Hostname of the Active Directory server to use.

Secondary Server Hostname

Secondary Active Directory hostname. This is optional.

Map LDAP Roles to Application Roles

Whether the roles defined in Active Directory can be mapped to those defined in MySQL Enterprise Monitor.