{"id":44,"date":"2021-11-02T21:12:00","date_gmt":"2021-11-03T01:12:00","guid":{"rendered":"https:\/\/www.jumpcloud.com\/engineering-blog\/?p=44"},"modified":"2024-01-29T14:34:50","modified_gmt":"2024-01-29T19:34:50","slug":"using-ldap-authenticate-mysql","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql","title":{"rendered":"Manage MySQL and Related Database Servers with LDAP"},"content":{"rendered":"\n<p><em>This is a refreshed article which initially only focused on integrating the community edition of MySQL with LDAP. That\u2019s no longer possible, so we\u2019ve provided guidance to connect to a variety of popular relational databases that are similar or compatible. You should choose the one that works best for your use case.&nbsp;This article was contributed to by TJ Webb, Cody Pritchard, and Stephen Brown.<\/em><\/p>\n\n\n\n<hr>\n\n\n\n<p><a href=\"http:\/\/www.oracle.com\/us\/products\/mysql\/overview\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">MySQL<\/a> is a leading relational database system that\u2019s available in commercial and open source offerings that are driven by Oracle. Its ubiquity has spawned several forks, providing several distinct alternatives. Managing users for MySQL is typically a manual chore resulting in extra time, systems, and effort \u2014 and, potentially a security risk when users created in the database are independent of a business&#8217;s identity management system and user provisioning process. The commercial distribution of MySQL supports external user authentication including LDAP using its bundled connectors. The community edition has fewer native options, but LDAP management is still possible when very specific prerequisites and security requirements are met. An unsupported GitHub project can be used to configure a free Linux <a href=\"https:\/\/en.wikipedia.org\/wiki\/Linux_PAM\" target=\"_blank\" rel=\"noreferrer noopener\">PAM<\/a> plugin.&nbsp;<\/p>\n\n\n\n<p>There are other choices for your project within the MySQL \u201cfamily\u201d such as MariaDB and Percona, or another open source SQL database such as Postgres. MariaDB is a free and open source software (FOSS) fork of the MySQL database that has a PAM authentication option. It\u2019s evolved in its <a href=\"https:\/\/mariadb.com\/database-topics\/mariadb-vs-mysql\/\" target=\"_blank\" rel=\"noreferrer noopener\">own direction<\/a> and, while compatible, isn\u2019t a direct substitution of MySQL. Percona is a performance-tuned edition of MySQL that also provides a plugin. We\u2019ve included Postgres as an alternative relational database. Your requirements and budget will determine what solution is the best fit for the job at hand. The common thread is the user management benefits of LDAP, a common user directory that organizations may have, based upon mature and open standards. Connecting SQL databases to LDAP services benefits IT admins in a number of ways:<\/p>\n\n\n\n<ul>\n<li><strong>One central place to manage your user credentials<\/strong> \u2013 Saves time and effort and makes it possible to easily add another authentication factor and\/or business rules for enhanced security following zero-trust principles<\/li>\n\n\n\n<li><strong>SSO<\/strong> \u2013 Your users effectively get single sign-on for their technical applications<\/li>\n\n\n\n<li><strong>Increased security<\/strong> \u2013 Reduces risk of users having access that shouldn\u2019t<\/li>\n<\/ul>\n\n\n\n<p>JumpCloud\u2019s <a href=\"https:\/\/jumpcloud.com\/platform\">cloud directory platform<\/a> makes it easy to manage, authenticate, and authorize MySQL users. The platform\u2019s LDAP service makes it possible for users to be populated in our directory and then MySQL can authenticate via a <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/using-jumpclouds-ldap-as-a-service1\" target=\"_blank\" rel=\"noreferrer noopener\">secure LDAP endpoint<\/a> requiring only minimal configuration necessary on the application side. Multi-factor authentication (MFA) then adds an additional layer of security.<\/p>\n\n\n\n<p>This article covers:<\/p>\n\n\n\n<ul>\n<li>How to manage MySQL users with JumpCloud\n<ul>\n<li>Using the plugins included in the commercial edition of MySQL<\/li>\n\n\n\n<li>How to manage MySQL users with JumpCloud using an open source plugin for the community edition<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>How to manage MariaDB users with JumpCloud<\/li>\n\n\n\n<li>How to manage Percona users with JumpCloud<\/li>\n\n\n\n<li>How to manage Postgres users with JumpCloud<\/li>\n<\/ul>\n\n\n\n<p>Considerations:<\/p>\n\n\n\n<p>If you haven&#8217;t done so already, please <a href=\"https:\/\/console.jumpcloud.com\/signup\">sign up for the JumpCloud service here<\/a>. You can evaluate this entire process below with no commitment. We give you 10 free users forever with the full functionality of the JumpCloud platform and the option for 10 days of live chat support to help you along the way if you get stuck with the integration(s).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting Up an LDAP Server<\/h2>\n\n\n\n<p>First, you&#8217;ll need to have an LDAP server to manage your users. You can easily leverage JumpCloud for this purpose by following the steps below. You may also manually provision and configure LDAP if you prefer using OpenLDAP, as an example LDAP server. That configuration option is also outlined here.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cloud LDAP Using JumpCloud<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Step 1: Preparing JumpCloud as the LDAP Directory<\/h4>\n\n\n\n<p>Before MySQL can be integrated with JumpCloud&#8217;s LDAP endpoint, the following steps need to be completed to ensure it can communicate effectively via ldapsearch.<\/p>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\/login\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud Admin Portal<\/a><\/li>\n\n\n\n<li>Go to USER AUTHENTICATION &gt; LDAP<\/li>\n\n\n\n<li>Click ( + )<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/1.1.png\" alt=\"\" class=\"wp-image-63911\" style=\"width:189px;height:189px\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/1.1.png 300w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/1.1-150x150.png 150w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n\n<p>You may see the message: \u201cTo enable LDAP, you need to have at least one user that\u2019s enabled as LDAP Bind DN.\u201d A Bind DN is a Distinguished Name (DN). This is a credential you\u2019ll <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/using-jumpclouds-ldap-as-a-service1#createuser\" target=\"_blank\" rel=\"noreferrer noopener\">authenticate against<\/a> in LDAP and you may consider creating a \u201cservice\u201d user account specifically for this purpose with a very strong password.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 2: Create an LDAP Service User Account<\/h4>\n\n\n\n<p><strong>Create an LDAP Binding user<\/strong><\/p>\n\n\n\n<p>The LDAP Binding user is created to allow the application to gain access to the LDAP directory in order to facilitate authentication requests when a regular LDAP user is attempting to login. JumpCloud does not support anonymous binds. When a user is designated as the Bind DN, they are automatically bound to the JumpCloud LDAP directory. It\u2019s advisable to have a dedicated service account, with a strong password, separate from your regular user accounts.<\/p>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\/login\">JumpCloud Admin Portal<\/a><\/li>\n\n\n\n<li>Go to USER MANAGEMENT &gt; Users&nbsp;<\/li>\n\n\n\n<li>Click ( + ), then select Manual user entry&nbsp;<\/li>\n\n\n\n<li>Input user information\n<ul>\n<li>First name<\/li>\n\n\n\n<li>Last name<\/li>\n\n\n\n<li>Username (required)<\/li>\n\n\n\n<li>Email (required)<\/li>\n\n\n\n<li>Description<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Under Security Settings and Permission\u200b > Permission Settings\u200b\u200b\u200b\u200b\u200b\u200b\n<ul>\n<li>Click the checkbox next to Enable as LDAP Bind DN. When enabled, this user acts to bind and search to JumpCloud LDAP directory; one or more users can enable this option.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"500\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/2.1.png\" alt=\"\" class=\"wp-image-63912\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/2.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/2.1-300x217.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>Considerations:<\/p>\n\n\n\n<ul>\n<li>It&#8217;s not required that this user be a \u201cservice account\u201d. Any JumpCloud user can be set as a binding user, although it&#8217;s generally recommended to treat this account as privileged for use only to facilitate the application\u2019s ability to bind\/search the LDAP directory.<\/li>\n\n\n\n<li>This option does <em>not<\/em> grant users access to LDAP. To grant access, see <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/connecting-users-to-resources---grant-access\" target=\"_blank\" rel=\"noreferrer noopener\">Binding Users to Resources<\/a>.<\/li>\n\n\n\n<li>More than one user may be designated as an LDAP Binding user, some applications require this designation for all users of the application. This can be the case if the Bind DN is able to login, but others cannot even though they are bound to the LDAP directory.<\/li>\n\n\n\n<li>The LDAP Binding user can be excluded from the password expiration policy by selecting <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/getting-started-users1-2019-08-21-10-36-47\" target=\"_blank\" rel=\"noreferrer noopener\">Password Never Expires<\/a>. <em>Note: you cannot set that condition until after the binding user is saved and created.<\/em> All other password policies, such as complexity requirements and minimum age, are global and will apply automatically.<\/li>\n<\/ul>\n\n\n\n<p><strong>Adding users to the JumpCloud directory<\/strong><\/p>\n\n\n\n<p>In this next step, you will add users to the directory. These will be the users you desire to provision to MySQL and elsewhere. Follow the steps above in Step 1, yet in this case, you do not need to elect these users as an LDAP Binding account. The MySQL documentation notes that users that will be managed by LDAP must already exist within the directory.<\/p>\n\n\n\n<p><em>Every cloud LDAP integration discussed below requires implementing the steps outlined above.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Manual Setup<\/h3>\n\n\n\n<p>The other option is to do it yourself where you\u2019ll be required to stand up and manage an LDAP server to utilize these authentication methods. You&#8217;ll have to manage uptime and maintenance, which creates the potential for a single point of failure (directory availability) within the authentication chain. Rolling your own MFA for added security will involve installing and configuring a FreeRADIUS server and LinOTP to establish a second authentication factor for LDAP.&nbsp;<\/p>\n\n\n\n<p>Linux distributions are capable of <a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Security_Services_Daemon\" target=\"_blank\" rel=\"noreferrer noopener\">configuring<\/a> LDAP to use STARTTLS to secure authentication between the LDAP client and server, but you\u2019ll have to also take on the management of provisioning the certificate and managing keys yourself. For Windows environments, you can configure the Windows native LDAP library either in Windows Server or a VM hosted by a cloud provider through the Add Roles and Features Wizard interface. AD LDS (Active Directory Lightweight Directory Services) must be set up as well as LDAPS.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Linux<\/h4>\n\n\n\n<p>Here are the commands required to install the packages in <strong>Ubuntu Linux<\/strong>.<\/p>\n\n\n\n<code>\n\n\n\n<p>sudo apt update<\/p>\n\n\n\n<\/code>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"80\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/3.1.png\" alt=\"\" class=\"wp-image-63913\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/3.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/3.1-300x35.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<code>\n\n\n\n<p>sudo apt install slapd ldap-utils<\/p>\n\n\n\n<\/code>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"145\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/4.1.png\" alt=\"\" class=\"wp-image-63914\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/4.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/4.1-300x63.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>The subsequent steps can be found <a href=\"https:\/\/ubuntu.com\/server\/docs\/service-ldap\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Windows Server<\/h4>\n\n\n\n<p><strong>Windows users<\/strong> can configure the Windows native LDAP library either in Windows Server or a VM hosted by a cloud provider through the Add Roles and Features Wizard interface. AD LDS (Active Directory Lightweight Directory Services) must be set up as well as LDAPS.<\/p>\n\n\n\n<p>Microsoft\u2019s documentation is <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/sql-server\/step-by-step-guide-to-setup-ldaps-on-windows-server\/ba-p\/385362\" target=\"_blank\" rel=\"noreferrer noopener\">available here<\/a>.<\/p>\n\n\n\n<p>You can easily leverage JumpCloud\u2019s hosted LDAP service instead of standing up your own LDAP server and managing it, all part of Directory-as-a-Service. Connect it to all of your critical apps, and you are good to go. Your users will also appreciate this, as their single account can now be used for technical applications as well.<a href=\"https:\/\/console.jumpcloud.com\/signup\"> <\/a>If you are utilizing MySQL within your organization, <a href=\"https:\/\/console.jumpcloud.com\/signup\">give JumpCloud a try<\/a> to simplify user management and increase database security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MySQL Commercial Edition<\/h2>\n\n\n\n<p>Oracle provides MySQL Enterprise as a subscription-based service, which you can configure MySQL to authenticate to the JumpCloud LDAP endpoint. There are two basic options to integrate the commercial MySQL edition with an LDAP directory:&nbsp;<\/p>\n\n\n\n<ul>\n<li><strong>LDAP Pluggable Authentication<\/strong><\/li>\n\n\n\n<li><strong>Privileged Access Management (PAM)<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>LDAP Pluggable Authentication is the most secure method out of the box, using TLS to communicate with the <em>cloud directory<\/em>. However, all approaches listed here <strong>do not use encryption<\/strong> on the <em>client side<\/em> and must be configured correctly to not become a security problem. The involved plugin must also be explicitly enabled to avoid inadvertent password exposure.&nbsp;<\/p>\n\n\n\n<p><em>Please note<\/em> that you won\u2019t be able to install the plugins for <strong>LDAP Pluggable Authentication <\/strong>if you\u2019re running the community build, which lacks the necessary server-side functionality. There are additional steps involved to successfully deploy TLS with the other two methods.<\/p>\n\n\n\n<p>This <a href=\"https:\/\/www.mysql.com\/common\/images\/products\/MySQL_Enterprise_Security_PAM.png\" target=\"_blank\" rel=\"noreferrer noopener\">diagram<\/a> shows all the components except the LDAP server (or ldap.jumpcloud.com) itself: The PAM icon is replaced with the LDAP server since it connects directly.<\/p>\n\n\n\n<p><strong>Please be mindful of this warning and follow all directions. <\/strong>MySQL provides several options for authentication and each has its own documentation as well as advanced options.<\/p>\n\n\n\n<ul>\n<li>Documentation for <strong>LDAP Pluggable Authentication<\/strong> is found in <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/ldap-pluggable-authentication.html\" target=\"_blank\" rel=\"noreferrer noopener\">section 6.4.1.7<\/a> of the MySQL Reference Manual.\n<ul>\n<li>Its capacity for external authentication (using a cloud-based directory) would be used to integrate the database with JumpCloud.&nbsp;<\/li>\n\n\n\n<li>The connection can also map users from the directory to native users within MySQL using Proxy user support to avoid recreating users. The instructions outline the prerequisites.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>You can override the OpenLDAP TLS setting and use <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/pluggable-authentication-system-variables.html#sysvar_authentication_ldap_sasl_server_port\" target=\"_blank\" rel=\"noreferrer noopener\">StartTLS<\/a> with the LDAP MySQL plugin.<\/li>\n\n\n\n<li>PAM is another option to access external LDAP services, and the documentation is outlined in <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/8.0\/en\/pam-pluggable-authentication.html\" target=\"_blank\" rel=\"noreferrer noopener\">section 6.4.1.5<\/a> of the Reference Manual.\n<ul>\n<li>It makes the application (MySQL) independent of whichever authentication stack the host OS\u2019s admin is using to set your preferences on a per-service basis.&nbsp;<\/li>\n\n\n\n<li>The hostname for the server must be resolvable while you\u2019re configuring PAM authentication.<\/li>\n\n\n\n<li>Note that communication between the PAM stack and LDAP are unencrypted unless you also utilize Linux\u2019s System Security Services Daemon (SSSD) to manage the MySQL LDAP configuration or use <a href=\"https:\/\/jumpcloud.com\/blog\/ldap-vs-ldaps\">LDAPS<\/a> to secure the connection.&nbsp;<\/li>\n\n\n\n<li>The PAM LDAP module can be <a href=\"https:\/\/linux.die.net\/man\/5\/pam_ldap\" target=\"_blank\" rel=\"noreferrer noopener\">configured <\/a>for LDAPS by adding the following options within the PAM configuration file \u201c\/etc\/pam_ldap.conf\u201d:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Just like with the HTTP protocol, the LDAP protocol can be written using a Uniform Resource Locator or Identifier (URL\/URI) and contain additional information about the directory and associated queries. The customer\u2019s JumpCloud LDAP Directory will always need to point to the DNS name of our OpenLDAP-based Directory Servers: ldap.jumpcloud.com<\/p>\n\n\n\n<p>LDAP URL for unencrypted LDAP Directory Access:&nbsp;&nbsp;<\/p>\n\n\n\n<p>(ldap:\/\/ implies port 389 so specifying the port is not required in most cases.)<\/p>\n\n\n\n<p>ldap:\/\/ldap.jumpcloud.com<\/p>\n\n\n\n<p>ldap:\/\/ldap.jumpcloud.com:389<\/p>\n\n\n\n<p>LDAPS URL for encrypted LDAP Directory Access:<\/p>\n\n\n\n<p>(ldaps:\/\/ implies port 636 so specifying the port is not required in most cases.)<\/p>\n\n\n\n<p>ldaps:\/\/ldap.jumpcloud.com<\/p>\n\n\n\n<p>ldaps:\/\/ldap.jumpcloud.com:636<\/p>\n\n\n\n<p>JumpCloud\u2019s LDAP services would be the hostname used in this configuration.<\/p>\n\n\n\n<p><strong>Port 389 will operate over plain-text if StartTLS is not negotiated.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MySQL Community Edition<\/h2>\n\n\n\n<p>Since there are no server-side plugins available in this distribution, another possibility is to use an <a href=\"https:\/\/github.com\/ateamsystems\/ateam_mysql_ldap_auth\" target=\"_blank\" rel=\"noreferrer noopener\">open source plugin<\/a> for the community version that\u2019s developed and maintained by an open source <a href=\"https:\/\/www.ateamsystems.com\/software\/\" target=\"_blank\" rel=\"noreferrer noopener\">development company<\/a>. The caveat is that the community isn\u2019t large and a single vendor is the primary contributor. The <strong>configuration file<\/strong> looks like this with the cacert file being required for an LDAPS connection, which will encrypt LDAP data. It\u2019s an extra step (highlighted below), but is a requisite for good security practice:<\/p>\n\n\n\n<code>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>ldap:<\/td><td><\/td><\/tr><tr><td><\/td><td>{<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; uri &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = &#8220;ldaps:\/\/ldap.jumpcloud.com:636&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; user_base &nbsp; &nbsp; &nbsp; = &#8220;dc=sample_company,dc=com&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; cacert_file &nbsp; &nbsp; = &#8220;\/etc\/ssl\/ldap\/ca.crt&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; bind_dn &nbsp; &nbsp; &nbsp; &nbsp; = &#8220;uid=&lt;JC LDAP BIND DN username&gt;,o=&lt;JC Org ID&gt;,ou=users,dc=jumpcloud,dc=com&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; bind_pw &nbsp; &nbsp; &nbsp; &nbsp; = &#8220;sample_password&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; login_attribute = &#8220;uid&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; search_filter &nbsp; = &#8220;(objectClass=inetOrgPerson)&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; libldap &nbsp; &nbsp; &nbsp; &nbsp; = &#8220;\/usr\/local\/lib\/libldap.so&#8221;;<\/td><\/tr><tr><td><\/td><td>&nbsp; &nbsp; &nbsp; log_level &nbsp; &nbsp; &nbsp; = &#8220;normal&#8221;; &nbsp; &nbsp; # can be &#8220;normal&#8221; or &#8220;debug&#8221;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/code>\n\n\n\n<p><em>The capitalized letters in the bind_dn indicate where to enter your organization\u2019s parameters.<\/em><\/p>\n\n\n\n<p><strong>Note that the password between the client and server is in plaintext by default just as with the MySQL Enterprise PAM module. The LDAP server performs hashing and authentication versus the default of the password being sent onto the MySQL itself.<\/strong><\/p>\n\n\n\n<p><strong>Please see this <\/strong><a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/jumpcloud-ldaps-ssl-certificate1\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>knowledge base article<\/strong><\/a><strong> for more information about including a certificate.<\/strong><\/p>\n\n\n\n<p>JumpCloud\u2019s LDAP services would be the hostname used in this configuration, using either of these <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/jumpcloud-ldaps-ssl-certificate1\" target=\"_blank\" rel=\"noreferrer noopener\">options<\/a>:<\/p>\n\n\n\n<p>Using StartTLS (ldap:\/\/ldap.jumpcloud.com:389) or&nbsp;<\/p>\n\n\n\n<p>TLS \/ SSL (ldaps:\/\/ldap.jumpcloud.com:636)<\/p>\n\n\n\n<p><strong>Port 389 will operate over plain-text if StartTLS is not negotiated.<\/strong><\/p>\n\n\n\n<p><em>LDAP groups created in JumpCloud are stored under the same OU as Users. The constructed bind dn reference is the same: ou=users, o=JC_ORD_ID, dc=jumpcloud, dc=com. LDAP is a tree so the customer&#8217;s o=JC_ORG_ID, dc=jumpcloud, dc=com is where their LDAP information is stored. Some configurations ask for explicit locations for users and groups or ask for a single Base DN. The best option here is ou=users. It would work either way, but is more efficient higher up the tree.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other FOSS SQL Databases<\/h2>\n\n\n\n<p>The following databases either provide full compatibility with MySQL or can be optimized for different use cases that may be of benefit to your project. They have active open source communities where support is available and builds are updated to be in line with changes made to MySQL.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">MariaDB<\/h3>\n\n\n\n<p>First, install the database. These instructions follow the syntax of Ubuntu and other RPM distributions.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"80\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/5.1.png\" alt=\"\" class=\"wp-image-63915\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/5.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/5.1-300x35.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"35\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/6.1.png\" alt=\"\" class=\"wp-image-63916\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/6.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/6.1-300x15.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>1a) We recommend approaching this integration using <a href=\"https:\/\/mariadb.com\/kb\/en\/configuring-pam-authentication-and-user-mapping-with-ldap-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>pam_ldap<\/strong><\/a><strong> <\/strong>for <strong>better security<\/strong>.<\/p>\n\n\n\n<ol>\n<li>The assumption is that an LDAP server is already set up (such as JumpCloud LDAP) but you\u2019ll have to install the PAM packages as another prerequisite.<\/li>\n<\/ol>\n\n\n\n<code>\n\n\n\n<p>sudo yum install openldap-clients nss-pam-ldapd pam pam-devel<\/p>\n\n\n\n<\/code>\n\n\n\n<p><\/p>\n\n\n\n<ol start=\"2\">\n<li>You\u2019ll then have to configure the plugins.<\/li>\n<\/ol>\n\n\n\n<code>\n\n\n\n<p>sudo authconfig &#8211;enableldap \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&#8211;enableldapauth \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&#8211;ldapserver=&#8221;ldaps:\/\/ldap.jumpcloud.com:636&#8243; \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&#8211;ldapbasedn=&#8221;uid=JCUSERNAME, ou=users,dc=jumpcloud,dc=com&#8221; \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&#8211;enablemkhomedir \\<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&#8211;update<\/p>\n\n\n\n<\/code>\n\n\n\n<ol start=\"3\">\n<li>Next, you\u2019ll install <strong>pam_user_map <\/strong>and configure that service as well.<\/li>\n<\/ol>\n\n\n\n<p>Please see the documentation <a href=\"https:\/\/mariadb.com\/kb\/en\/user-and-group-mapping-with-pam\/#installing-the-pam_user_map-pam-module\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> for this step.<\/p>\n\n\n\n<ol start=\"4\">\n<li>Install the <strong>auth plugin<\/strong>.<\/li>\n<\/ol>\n\n\n\n<code>\n\n\n\n<p>INSTALL SONAME &#8216;auth_pam&#8217;;<\/p>\n\n\n\n<\/code>\n\n\n\n<p>Then <a href=\"https:\/\/mariadb.com\/kb\/en\/authentication-plugin-pam\/#configuring-the-pam-service\" target=\"_blank\" rel=\"noreferrer noopener\">configure the service<\/a> in \/etc\/pam.d\/mariadb as outlined in Step E.<\/p>\n\n\n\n<ol start=\"5\">\n<li>Only configure<strong> <\/strong><a href=\"https:\/\/mariadb.com\/kb\/en\/authentication-plugin-pam\/#configuring-the-pam-service\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>pam_ldap<\/strong><\/a> (We don\u2019t recommend the pam_unix step)<\/li>\n<\/ol>\n\n\n\n<code>\n\n\n\n<p>auth required pam_ldap.so<\/p>\n\n\n\n<p>auth required pam_user_map.so<\/p>\n\n\n\n<p>account required pam_ldap.so<\/p>\n\n\n\n<\/code>\n\n\n\n<ol start=\"6\">\n<li>The final step is to check your work and <a href=\"https:\/\/mariadb.com\/kb\/en\/configuring-pam-authentication-and-user-mapping-with-ldap-authentication\/#testing-our-configuration\" target=\"_blank\" rel=\"noreferrer noopener\">test the configuration<\/a>.<\/li>\n<\/ol>\n\n\n\n<p>1b) MariaDB also includes a PAM plugin that can be retrieved from the project\u2019s <a href=\"https:\/\/github.com\/MariaDB\/server\/blob\/10.1\/plugin\/auth_pam\/mapper\/pam_user_map.c\" target=\"_blank\" rel=\"noreferrer noopener\">Git repository<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"70\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/7.1.png\" alt=\"\" class=\"wp-image-63917\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/7.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/7.1-300x30.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"40\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/8.1.png\" alt=\"\" class=\"wp-image-63918\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/8.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/8.1-300x17.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"35\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/9.1.png\" alt=\"\" class=\"wp-image-63919\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/9.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/9.1-300x15.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<code>\n\n\n\n<p>wget https:\/\/raw.githubusercontent.com\/MariaDB\/server\/10.1\/plugin\/auth_pam\/mapper\/pam_user_map.c<\/p>\n\n\n\n<p>gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so<\/p>\n\n\n\n<p>sudo install &#8211;mode=0755 pam_user_map.so \/lib64\/security\/<\/p>\n\n\n\n<\/code>\n\n\n\n<p>You then follow steps to create a PAM policy and the rest happens primarily on the server side with the installation of the required plugins and creation of service accounts. You can then set up a proxy configuration to map user names between the database and LDAP and set up other policy variables, such as using LDAPS, by following <a href=\"https:\/\/mariadb.com\/kb\/en\/configuring-pam-authentication-and-user-mapping-with-ldap-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">these directions<\/a>. Additional documentation about those settings is available <a href=\"https:\/\/mariadb.com\/kb\/en\/configuring-pam-authentication-and-user-mapping-with-ldap-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.&nbsp;<\/p>\n\n\n\n<p><strong>This approach executes on local Unix authentication, which, same as the other Pam_unix examples above, must be configured correctly due to potential security concerns and best practices. The directions also indicate turning off SELinux (Security-enhanced Linux), a Linux kernel security module that provides access policies such as <\/strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Mandatory_access_control\"><strong>MAC<\/strong><\/a><strong>, necessitating additional configuration steps to avoid a full disable.<\/strong><\/p>\n\n\n\n<p>JumpCloud\u2019s LDAP services would be the hostname used in this configuration, using either of these <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/jumpcloud-ldaps-ssl-certificate1\" target=\"_blank\" rel=\"noreferrer noopener\">options<\/a>:<\/p>\n\n\n\n<p>Using StartTLS (ldap:\/\/ldap.jumpcloud.com:389) or&nbsp;<\/p>\n\n\n\n<p>TLS \/ SSL (ldaps:\/\/ldap.jumpcloud.com:636)<\/p>\n\n\n\n<p><strong>Port 389 will operate over plain-text if StartTLS is not negotiated.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Percona<\/h3>\n\n\n\n<p>The Percona server for MySQL is also open source and fully compatible with the primary Oracle distribution. However, it\u2019s more purpose-built and is optimized to handle large amounts of data and memory management for large scale implementations. It\u2019s built to achieve parity with Oracle\u2019s commercial edition for its overall availability, backup, scalability, and security functionality. Another attribute that differentiates it is added visibility monitoring of server operations.<\/p>\n\n\n\n<p>Its PAM plugin is <a href=\"https:\/\/www.percona.com\/blog\/2020\/04\/06\/introducing-the-ldap-authentication-plugin-in-percona-server-for-mysql-8-0-19\/\" target=\"_blank\" rel=\"noreferrer noopener\">documented here<\/a> and the following is an example of the setup that you\u2019ll see:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"115\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/10.1.png\" alt=\"\" class=\"wp-image-63920\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/10.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/10.1-300x50.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>There are a few minor changes necessary to connect with the cloud directory. JumpCloud leverages LDAP Bind DNs, which means that we construct our DNs differently than the example Percona provides above. We also do not use the &#8220;standard&#8221; ou=People, and instead use&nbsp; ou=Users for both User objects and Groups for full membership authorization reflected per JumpCloud-managed LDAP groups. The syntax is as follows:<\/p>\n\n\n\n<code>\n\n\n\n<p>uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com<\/p>\n\n\n\n<\/code>\n\n\n\n<p>JumpCloud\u2019s LDAP services would be the hostname used in this configuration, using either of these <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/jumpcloud-ldaps-ssl-certificate1\">options<\/a>:<\/p>\n\n\n\n<p>Using StartTLS (ldap:\/\/ldap.jumpcloud.com:389) or&nbsp;<\/p>\n\n\n\n<p>TLS \/ SSL (ldaps:\/\/ldap.jumpcloud.com:636)<\/p>\n\n\n\n<p><strong>Port 389 will operate over plain-text if StartTLS is not negotiated.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Postgres<\/h3>\n\n\n\n<p>PostgreSQL is a more SQL compliant relational database than MySQL, which makes it more reliable for data due to its stricter nature by default. It can authenticate directly with LDAP (or LDAPS) and has several configuration options <a href=\"https:\/\/www.postgresql.org\/docs\/current\/auth-ldap.html\" target=\"_blank\" rel=\"noreferrer noopener\">outlined here<\/a>.<\/p>\n\n\n\n<p>You\u2019ll want to follow the mode \u201csimple bind mode\u201d to integrate with JumpCloud.<\/p>\n\n\n\n<p>The following example is from the documentation and will work with OpenLDAP.<\/p>\n\n\n\n<p>\u201cIn the first mode, which we will call the simple bind mode, the server will bind to the distinguished name constructed as <strong><em>prefix<\/em><\/strong> <strong><em>username<\/em><\/strong> <strong><em>suffix<\/em><\/strong>. Typically, the <strong><em>prefix<\/em><\/strong> parameter is used to specify cn=, or <strong><em>DOMAIN<\/em><\/strong>\\ in an Active Directory environment. <strong><em>suffix<\/em><\/strong> is used to specify the remaining part of the DN in a non-Active Directory environment.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" width=\"692\" height=\"30\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/06\/11.1.png\" alt=\"\" class=\"wp-image-63921\" style=\"width:824px;height:36px\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/11.1.png 692w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/06\/11.1-300x13.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>As noted above, make the following changes to the LDAP Bind DN user to configure your connection for JumpCloud LDAP:<\/p>\n\n\n\n<code>\n\n\n\n<p>uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com<\/p>\n\n\n\n<\/code>\n\n\n\n<p>JumpCloud\u2019s LDAP services would be the hostname used in this configuration, using either of these <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/jumpcloud-ldaps-ssl-certificate1\">options<\/a>:<\/p>\n\n\n\n<p>Using StartTLS (ldap:\/\/ldap.jumpcloud.com:389) or&nbsp;<\/p>\n\n\n\n<p>TLS \/ SSL (ldaps:\/\/ldap.jumpcloud.com:636)<\/p>\n\n\n\n<p><strong>Port 389 will operate over plain-text if StartTLS is not negotiated.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Try JumpCloud<\/h2>\n\n\n\n<p>Learn about other <a href=\"https:\/\/jumpcloud.com\/blog\/how-to-connect-your-application-to-ldap\">JumpCloud LDAP configurations<\/a> for your applications. We hope that you\u2019ll try our platform for its convenience, the time you\u2019ll save, and security capabilities. You can <a href=\"https:\/\/console.jumpcloud.com\/signup\">sign up today<\/a> to experiment with these integrations and add additional security for safer authentications through the JumpCloud platform without having to stand up additional server infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Using JumpCloud&#8217;s Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.<\/p>\n","protected":false},"author":150,"featured_media":55,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23,2781,42],"tags":[],"collection":[2778,2779],"platform":[],"funnel_stage":[3014],"coauthors":[2535],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How To Authenticate MySQL Using JumpCloud&#039;s Cloud LDAP<\/title>\n<meta name=\"description\" content=\"Using JumpCloud&#039;s Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Manage MySQL and Related Database Servers with LDAP\" \/>\n<meta property=\"og:description\" content=\"Using JumpCloud&#039;s Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-03T01:12:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-29T19:34:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1\" \/>\n\t<meta property=\"og:image:height\" content=\"1\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"David Worthington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Worthington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\"},\"author\":{\"name\":\"David Worthington\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\"},\"headline\":\"Manage MySQL and Related Database Servers with LDAP\",\"datePublished\":\"2021-11-03T01:12:00+00:00\",\"dateModified\":\"2024-01-29T19:34:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\"},\"wordCount\":3076,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png\",\"articleSection\":[\"Best Practices\",\"How-To\",\"News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\",\"url\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\",\"name\":\"How To Authenticate MySQL Using JumpCloud's Cloud LDAP\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png\",\"datePublished\":\"2021-11-03T01:12:00+00:00\",\"dateModified\":\"2024-01-29T19:34:50+00:00\",\"description\":\"Using JumpCloud's Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Manage MySQL and Related Database Servers with LDAP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\",\"name\":\"David Worthington\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"caption\":\"David Worthington\"},\"description\":\"I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.\",\"sameAs\":[\"https:\/\/jumpcloud.com\/blog\",\"david.worthington@jumpcloud.com\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How To Authenticate MySQL Using JumpCloud's Cloud LDAP","description":"Using JumpCloud's Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql","og_locale":"en_US","og_type":"article","og_title":"Manage MySQL and Related Database Servers with LDAP","og_description":"Using JumpCloud's Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.","og_url":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql","og_site_name":"JumpCloud","article_published_time":"2021-11-03T01:12:00+00:00","article_modified_time":"2024-01-29T19:34:50+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png","width":1,"height":1,"type":"image\/png"}],"author":"David Worthington","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Worthington","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql"},"author":{"name":"David Worthington","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e"},"headline":"Manage MySQL and Related Database Servers with LDAP","datePublished":"2021-11-03T01:12:00+00:00","dateModified":"2024-01-29T19:34:50+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql"},"wordCount":3076,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png","articleSection":["Best Practices","How-To","News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql","url":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql","name":"How To Authenticate MySQL Using JumpCloud's Cloud LDAP","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png","datePublished":"2021-11-03T01:12:00+00:00","dateModified":"2024-01-29T19:34:50+00:00","description":"Using JumpCloud's Cloud LDAP, admins can authenticate users to their MySQL databases from the cloud with simplicity.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2014\/12\/mysql-logo-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/using-ldap-authenticate-mysql#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Manage MySQL and Related Database Servers with LDAP"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e","name":"David Worthington","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411","url":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","caption":"David Worthington"},"description":"I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.","sameAs":["https:\/\/jumpcloud.com\/blog","david.worthington@jumpcloud.com"]}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/44"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":104319,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/44\/revisions\/104319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media\/55"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=44"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=44"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=44"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=44"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}