Skip to content

OpenLDAP authentication

This topic introduces how to connect NebulaGraph to the OpenLDAP server and use the DN (Distinguished Name) and password defined in OpenLDAP for authentication.

Enterpriseonly

This feature is supported by the Enterprise Edition only.

Authentication method

After the OpenLDAP authentication is enabled and users log into NebulaGraph with the account and password, NebulaGraph checks whether the login account exists in the Meta service. If the account exists, NebulaGraph finds the corresponding DN in OpenLDAP according to the authentication method and verifies the password.

OpenLDAP supports two authentication methods: simple bind authentication (SimpleBindAuth) and search bind authentication (SearchBindAuth).

SimpleBindAuth

Simple bind authentication splices the login account and the configuration information of Graph services into a DN that can be recognized by OpenLDAP, and then authenticates on OpenLDAP based on the DN and password.

SearchBindAuth

Search bind authentication reads the Graph service configuration information and queries whether the uid in the configuration matches the login account. If they match, search bind authentication reads the DN, and then uses the DN and password to verify on OpenLDAP.

Prerequisites

  • The account and password are imported on OpenLDAP.
  • The server where OpenLDAP is located has opened the corresponding authentication port.

Procedures

Take the existing account test2 and password passwdtest2 on OpenLDAP as an example.

  1. Connect to NebulaGraph, create and authorize the shadow account test2 corresponding to OpenLDAP.

    nebula> CREATE USER test2 WITH PASSWORD '';
    nebula> GRANT ROLE ADMIN ON basketballplayer TO test2;
    

    !!! note

      When creating an account in NebulaGraph, the password can be set arbitrarily.
    
  2. Edit the configuration file nebula-graphd.conf (The default path is/usr/local/nebula/etc/):

    • SimpleBindAuth (Recommended)

      # Whether to get the configuration information from the configuration file.
      --local_config=true
      # Whether to enable authentication.
      --enable_authorize=true
      # Authentication methods include password, ldap, and cloud.
      --auth_type=ldap
      # The address of the OpenLDAP server.
      --ldap_server=192.168.8.211
      # The port of the OpenLDAP server.
      --ldap_port=389
      # The name of the Schema in OpenLDAP.
      --ldap_scheme=ldap
      # The prefix of DN.
      --ldap_prefix=uid=
      # The suffix of DN.
      --ldap_suffix=,ou=it,dc=sys,dc=com
      
    • SearchBindAuth

      # Whether to get the configuration information from the configuration file.
      --local_config=true
      # Whether to enable authentication.
      --enable_authorize=true
      # Authentication methods include password, ldap, and cloud.
      --auth_type=ldap
      # The address of the OpenLDAP server.
      --ldap_server=192.168.8.211
      # The port of the OpenLDAP server.
      --ldap_port=389
      # The name of the Schema in OpenLDAP.
      --ldap_scheme=ldap
      # The DN that binds the target.
      --ldap_basedn=ou=it,dc=sys,dc=com
      
  3. Restart NebulaGraph services to make the new configuration valid.

  4. Run the login test.

    $ ./nebula-console --addr 127.0.0.1 --port 9669 -u test2 -p passwdtest2
    2021/09/08 03:49:39 [INFO] connection pool is initialized successfully
    
    Welcome to NebulaGraph!
    

    !!! note

      After using OpenLDAP for authentication, local users (including `root`) cannot log in normally.
    

Last update: March 13, 2023