OpenLDAP authentication¶
This topic introduces how to connect NebulaGraph to the OpenLDAP server and use the DN (Distinguished Name) and password defined in OpenLDAP for authentication.
Enterpriseonly
This feature is supported by the Enterprise Edition only.
Authentication method¶
After the OpenLDAP authentication is enabled and users log into NebulaGraph with the account and password, NebulaGraph checks whether the login account exists in the Meta service. If the account exists, NebulaGraph finds the corresponding DN in OpenLDAP according to the authentication method and verifies the password.
OpenLDAP supports two authentication methods: simple bind authentication (SimpleBindAuth) and search bind authentication (SearchBindAuth).
SimpleBindAuth¶
Simple bind authentication splices the login account and the configuration information of Graph services into a DN that can be recognized by OpenLDAP, and then authenticates on OpenLDAP based on the DN and password.
SearchBindAuth¶
Search bind authentication reads the Graph service configuration information and queries whether the uid
in the configuration matches the login account. If they match, search bind authentication reads the DN, and then uses the DN and password to verify on OpenLDAP.
Caution
Only the uid
attribute in OpenLDAP can be used to specify a username for SearchBindAuth.
Prerequisites¶
- OpenLDAP is installed.
- The account and password are imported on OpenLDAP.
- The server where OpenLDAP is located has opened the corresponding authentication port.
Procedures¶
Take the existing account test2
and password passwdtest2
on OpenLDAP as an example.
-
Connect to NebulaGraph, create and authorize the shadow account
test2
corresponding to OpenLDAP.nebula> CREATE USER test2 WITH PASSWORD ''; nebula> GRANT ROLE ADMIN ON basketballplayer TO test2;
Note
When creating an account in NebulaGraph, the password can be set arbitrarily.
-
Edit the configuration file
nebula-graphd.conf
(The default path is/usr/local/nebula/etc/
):-
SimpleBindAuth (Recommended)
# Whether to get the configuration information from the configuration file. --local_config=true # Whether to enable authentication. --enable_authorize=true # Authentication methods include password, ldap, and cloud. --auth_type=ldap # The address of the OpenLDAP server. --ldap_server=192.168.8.211 # The port of the OpenLDAP server. --ldap_port=389 # The name of the Schema in OpenLDAP. --ldap_scheme=ldap # The prefix of DN. --ldap_prefix=uid= # The suffix of DN. --ldap_suffix=,ou=it,dc=sys,dc=com
-
SearchBindAuth
# Whether to get the configuration information from the configuration file. --local_config=true # Whether to enable authentication. --enable_authorize=true # Authentication methods include password, ldap, and cloud. --auth_type=ldap # The address of the OpenLDAP server. --ldap_server=192.168.8.211 # The port of the OpenLDAP server. --ldap_port=389 # The name of the Schema in OpenLDAP. --ldap_scheme=ldap # The DN that binds the target. --ldap_basedn=ou=it,dc=sys,dc=com # The OpenLDAP login username. If anonymous access is supported, this parameter is optional. Otherwise, it is required. --ldap_binddn=cn=admin,dc=example,dc=org # The OpenLDAP login password. If anonymous access is supported, this parameter is optional. Otherwise, it is required. --ldap_bindpasswd=admin
-
-
Restart NebulaGraph services to make the new configuration valid.
-
Run the login test.
$ ./nebula-console --addr 127.0.0.1 --port 9669 -u test2 -p passwdtest2 2021/09/08 03:49:39 [INFO] connection pool is initialized successfully Welcome to NebulaGraph!
Note
After you turn on OpenLDAP for authentication, you can log in with the account and password set in OpenLDAP. However, you need to make sure that NebulaGraph has the same username in the local account.