OpenLDAP authentication¶
This topic introduces how to connect Nebula Graph to the OpenLDAP server and use the DN (Distinguished Name) and password defined in OpenLDAP for authentication.
Enterpriseonly
This feature is supported by the Enterprise Edition only.
Authentication method¶
After the OpenLDAP authentication is enabled and users log into Nebula Graph with the account and password, Nebula Graph checks whether the login account exists in the Meta service. If the account exists, Nebula Graph finds the corresponding DN in OpenLDAP according to the authentication method and verifies the password.
OpenLDAP supports two authentication methods: simple bind authentication (SimpleBindAuth) and search bind authentication (SearchBindAuth).
SimpleBindAuth¶
Simple bind authentication splices the login account and the configuration information of Graph services into a DN that can be recognized by OpenLDAP, and then authenticates on OpenLDAP based on the DN and password.
SearchBindAuth¶
Search bind authentication reads the Graph service configuration information and queries whether the uid
in the configuration matches the login account. If they match, search bind authentication reads the DN, and then uses the DN and password to verify on OpenLDAP.
Prerequisites¶
- OpenLDAP is installed.
- The account and password are imported on OpenLDAP.
- The server where OpenLDAP is located has opened the corresponding authentication port.
Procedures¶
Take the existing account test2
and password passwdtest2
on OpenLDAP as an example.
-
Connect to Nebula Graph, create and authorize the shadow account
test2
corresponding to OpenLDAP.nebula> CREATE USER test2 WITH PASSWORD ''; nebula> GRANT ROLE ADMIN ON basketballplayer TO test2;
!!! note
When creating an account in Nebula Graph, the password can be set arbitrarily.
-
Edit the configuration file
nebula-graphd.conf
(The default path is/usr/local/nebula/etc/
):-
SimpleBindAuth (Recommended)
# Whether to get the configuration information from the configuration file. --local_config=true # Whether to enable authentication. --enable_authorize=true # Authentication methods include password, ldap, and cloud. --auth_type=ldap # The address of the OpenLDAP server. --ldap_server=192.168.8.211 # The port of the OpenLDAP server. --ldap_port=389 # The name of the Schema in OpenLDAP. --ldap_scheme=ldap # The prefix of DN. --ldap_prefix=uid= # The suffix of DN. --ldap_suffix=,ou=it,dc=sys,dc=com
-
SearchBindAuth
# Whether to get the configuration information from the configuration file. --local_config=true # Whether to enable authentication. --enable_authorize=true # Authentication methods include password, ldap, and cloud. --auth_type=ldap # The address of the OpenLDAP server. --ldap_server=192.168.8.211 # The port of the OpenLDAP server. --ldap_port=389 # The name of the Schema in OpenLDAP. --ldap_scheme=ldap # The DN that binds the target. --ldap_basedn=ou=it,dc=sys,dc=com
-
-
Restart Nebula Graph services to make the new configuration valid.
-
Run the login test.
$ ./nebula-console --addr 127.0.0.1 --port 9669 -u test2 -p passwdtest2 2021/09/08 03:49:39 [INFO] connection pool is initialized successfully Welcome to Nebula Graph!
!!! note
After using OpenLDAP for authentication, local users (including `root`) cannot log in normally.