Authentication¶
Whenever a client connects to Nebula Graph, a session is created. The session stores various contextual information about the connection. Each session is always associated with a single user.
Authentication is the process of mapping this session to a specific user. Once the session is mapped to a user, a set of permissions can be associated with it, using authorization.
Nebula Graph supports two authentication methods, explained in detail below - local and LDAP.
Local authentication¶
The local database stores usernames, encrypted passwords, local user settings and remote LDAP user settings. When a user tries to access the database, they will be met with a security challenge.
To enable the local authentication, follow these steps:
- Set the
--enable_authorizeproperty in thenebula-graphd.confconfiguration file (the directory is/usr/local/nebula/etc/by default) totrue. - Save your modification in step one and close the
nebula-graphd.confconfiguration file. - Restart the Nebula Graph services.
LDAP authentication¶
Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services. Users stored inside LDAP take precedence over the local database users. For example, if both providers have a user called “Amber”, the settings and roles for this user will be sourced from LDAP.
Unlike local authentication, besides enabling the --enable_authorize parameter, LDAP needs to be configured in the nebula-graphd.conf file (the directory is /usr/local/nebula/etc/ by default). Refer to the Integrating LDAP Document for details.
LDAP parameters¶
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| ldap_server | string | "" | A list of ldap server addresses. Multiple addresses are separated with commas. |
| ldap_port | INT32 | Ldap server port. If no port is specified, the default port will be used. | |
| ldap_scheme | string | "ldap" | Only supports ldap. |
| ldap_tls | bool | false | Enable/disable the TLS encryption between graphd and the LDAP server. |
| ldap_suffix | string | "" | Specifies the root suffix (naming context) to use for all LDAP operations. |
| ldap_basedn | string | "" | The LDAP distinguished name (DN) of the search base. |
| ldap_binddn | string | "" | The LDAP user who is allowed to search the base DN. |
| ldap_bindpasswd | string | "" | The password of the user who is mentioned in the bind DN. |
| ldap_searchattribute | string | "" | An array of the required attributes. |
| ldap_searchfilter | string | "" | Specifies a search filter by defining what to search for. It is more flexible than the searchattribut. |
FAQ¶
Error information: Authentication fails, Invalid data length¶
Authentication fails because you had not enable the authentication. Follow the preceding steps to enable the authentication.