Adding a little TLS complexity to authentication_ldap_simple

In a previous post I showed that by default when authentication_ldap_simple communicates with a Windows Domain Controller (or any other LDAP service), then the password is transmitted unencrypted during authentication.

This time I’ll demonstrate how to close this loophole.  A pre-requisite is that the Domain Controller needs to be configured to accept secure connections. This is done by installing a certificate, the process is well documented elsewhere so I won’t repeat it here.

There are two different ways to configure secure communication.  The first method is to set authentication_ldap_simple_server_port to 636.

As of MySQL 8.0.14, if the LDAP port number is configured as 636 or 3269, the plugin uses LDAPS (LDAP over SSL) instead of LDAP. (LDAPS differs from startTLS.)

The second method is to set authentication_ldap_simple_tls to ON.

For simple LDAP authentication, whether connections by the plugin to the LDAP server are secure. If this variable is enabled, the plugin uses TLS to connect securely to the LDAP server.

In both cases we have to set authentication_ldap_simple_ca_path to point to the certificate authority file used when securing the domain controller.  (Pro-tip ensure the both the file attributes of this certificate and of the directory it sits in are such that the mysql process is able to access it, you won’t believe how long I wasted due to this).

Of the two methods, I have been informed that the TLS method is optimal so that is what I will demonstrate.  Note I have found that it’s better to load the plugin and set the variables in the mysql configuration file (my.cnf) and restart the service rather than setting them dynamically (it seems the otherwise the values do not correctly propagate to the appropriate processes due to LDAP connection pooling)  so that’s what I’ll show you.

[root@lnx-mysql8 ~]# tail -5 /etc/my.cnf
plugin-load-add=authentication_ldap_simple.so
authentication_ldap_simple_server_host='win-dc.windows.domain'
authentication_ldap_simple_group_search_attr=
authentication_ldap_simple_tls=ON
authentication_ldap_simple_ca_path='/etc/certs/win-dc.crt'
[root@lnx-mysql8 ~]# 

Let’s have a look at the network traffic on port 389 (LDAP) on MySQL service start.  Observe that, after some initial negotiation regards the certificate, all traffic is encrypted.

[root@lnx-mysql8 ~]# tcpflow -C port 389
tcpflow: listening on enp0s3
0w1.3.6.1.4.1.1466.20037
0(x
1.3.6.1.4.1.1466.20037
]mK?$(UI0,($
kjih98762.*&=5/+'#g@?>3210EDCB1-)%</A C 0B10UXX10UDefault City10U 0B)JJ:7 }$kwIuI_0"%21-dc.windows.domain00 F#qI925rgCbG?{ O{R?_zm+(cx7Ju&+C0A0U0U%0 d&,(V5zVmBj2ZhZw%m@VX}5A2nDf!a)n[wn:~JTm:!0`jL4yMv"8'LH+BHQ K#F _3f]t'u)5B.^/fEKIb.Tj2?03`g5.0RJaF'pH&i=QSa[m3&j~~10&=kv)S%oiH3RvK'wE-tbJ8Tl#:B9tw;MB!FT]7AA7Gn>adwCR#I:x*#IIk8.g62~hd|N_L%OIBC#V|@)o+O_Afo-At~XHt`<fV'r]"u'}GF@<h}- eBA]vEJAu|=-t7ATiPhz(stn`[9U[_s@" (O,tD/'1RT{g6}I3% 0w1.3.6.1.4.1.1466.20037 0(x 1.3.6.1.4.1.1466.20037 )=?s@9fj& *x"80,($ kjih98762.*&=5/+'#g@?>3210EDCB1-)%</A
C

To save you having to refer to previous post here is how to create the AD authenticated user using the LDAP DN (Distinguished Name):

mysql> CREATE USER 'patrick'@'%'
    ->             IDENTIFIED WITH authentication_ldap_simple
    ->             BY 'CN=patrick,CN=Users,DC=WINDOWS,DC=DOMAIN';
Query OK, 0 rows affected (0.01 sec)

I am now able to connect using my Windows username and password:

[root@lnx-mysql8 ~]# mysql                                  \
>                          --host=lnx-mysql8.windows.domain \
>                          --enable-cleartext-plugin        \
>                          --user=patrick                   \
>                          --password=Password123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 8.0.16-commercial MySQL Enterprise Server - Commercial

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

And let’s check the network traffic to domain controller during the authentication

[root@lnx-mysql8 ~]# tcpflow -C port 389
tcpflow: listening on enp0s3
Whl+E]X=n0ucbDOBt'
.rvY* CKWLS+

No more password in plain sight. It’s still in my bash history, but that’s something I can easily resolve by not passing it as a command line argument 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s