I mentioned in my previous blog entry that had I encountered an issue with this plugin, and I think now that it has been fixed in the latest MySQL versions (released on 2019-04-25) it’s reasonable to share my findings.
The following tests are with MySQL Version 8.0.13. I start by installing the plugin, pointing it at my Windows Domain Controller and creating a user associated with the DN of my Windows account.
mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so'; Query OK, 0 rows affected (0.05 sec) mysql> SET GLOBAL authentication_ldap_simple_server_host='win-dc.windows.domain'; Query OK, 0 rows affected (0.00 sec) mysql> CREATE USER 'patrick'@'%' -> IDENTIFIED WITH authentication_ldap_simple -> BY 'CN=patrick,CN=Users,DC=WINDOWS,DC=DOMAIN'; Query OK, 0 rows affected (0.08 sec)
Next we test that everything works OK by trying to log in with my correct Windows password.
[patrick@WIN-CLIENT] C:\> mysql >> --host=lnx-mysql8.windows.domain ` >> --user=patrick ` >> --password=Password123 ` >> --enable-cleartext-plugin mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 63 Server version: 8.0.13-commercial MySQL Enterprise Server - Commercial ... mysql>
Also providing the wrong password denies access. Everything is as expected so far.
[patrick@WIN-CLIENT] C:\> mysql ` >> --host=lnx-mysql8.windows.domain ` >> --user=patrick ` >> --password=WrongPassword ` >> --enable-cleartext-plugin mysql: [Warning] Using a password on the command line interface can be insecure. ERROR 1045 (28000): Access denied for user 'patrick'@'WIN-CLIENT.windows.domain'...
However what would you expect to happen if I try to log in to this account without providing a password? Let’s see…
[patrick@WIN-CLIENT] C:\> mysql ` >> --host=lnx-mysql8.windows.domain ` >> --user=patrick ` >> --enable-cleartext-plugin Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 30 Server version: 8.0.13-commercial MySQL Enterprise Server - Commercial ... mysql> select current_user(); +----------------+ | current_user() | +----------------+ | patrick@% | +----------------+ 1 row in set (0.00 sec)
Huh? It lets me in! After double checking everything I raised an SR for this and a bug was created and fixed in 8.0.16. Apparently the 5.7 branch was also affected, and this fix is also in 5.7.26.
Bug #29637712: The authentication_ldap_simple plugin could enforce authentication incorrectly.
Let’s test in 8.0.16. Note one difference here is that I have to set variable authentication_ldap_simple_group_search_attr to ” to disable AD group checking. This behaviour, related to proxy users, seems to have been introduced in 8.0.14, but on my lab setup this step breaks authentication completely so I disable it.
mysql> INSTALL PLUGIN authentication_ldap_simple SONAME 'authentication_ldap_simple.so'; Query OK, 0 rows affected (0.00 sec) mysql> SET GLOBAL authentication_ldap_simple_bind_base_dn='DC=WINDOWS,DC=DOMAIN'; Query OK, 0 rows affected (0.00 sec) mysql> SET GLOBAL authentication_ldap_simple_group_search_attr=''; Query OK, 0 rows affected (0.00 sec) mysql> CREATE USER 'patrick'@'%' -> IDENTIFIED WITH authentication_ldap_simple -> BY 'CN=patrick,CN=Users,DC=WINDOWS,DC=DOMAIN'; Query OK, 0 rows affected (0.00 sec)
I won’t repeat the tests for correct and incorrect password handling, they still behave as before, but I will show you behaviour without specifying a password.
[patrick@WIN-CLIENT] C:\> mysql ` >> --host=lnx-mysql8.windows.domain ` >> --user=patrick ` >> --enable-cleartext-plugin ERROR 1045 (28000): Access denied for user 'patrick'@'WIN-CLIENT.windows.domain' (using password: YES) [patrick@WIN-CLIENT] C:\>
I’m not sure if there is anyone using authentication_ldap_simple due to it sending passwords unencrypted between database and domain controller, but if there is, I’d suggest checking whether you are susceptible to this issue and if so applying latest patchset ASAP.
I’m also not sure if this is specific to LDAP authentication with Active Directory or other Directory Services are affected. I also wonder whether authentication_ldap_sasl is affected, but I don’t have configuration to check that out.