Whenever a client connects to Nebula Graph, a session is created. The session stores various contextual information about the connection. Each session is always associated with a single user.
Authentication is the process of mapping this session to a specific user. Once the session is mapped to a user, a set of permissions can be associated with it, using authorization.
Nebula Graph supports two authentication methods, explained in detail below - local and LDAP.
The local database stores usernames, encrypted passwords, local user settings and remote LDAP user settings. When a user tries to access the database, they will be met with a security challenge.
To enable the local authentication, follow these steps:
- Set the
--enable_authorizeproperty in the
nebula-graphd.confconfiguration file (the directory is
/usr/local/nebula/etc/by default) to
- Save your modification in step one and close the
- Restart the Nebula Graph services.
Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services. Users stored inside LDAP take precedence over the local database users. For example, if both providers have a user called “Amber”, the settings and roles for this user will be sourced from LDAP.
Unlike local authentication, besides enabling the
--enable_authorize parameter, LDAP needs to be configured in the
nebula-graphd.conf file (the directory is
/usr/local/nebula/etc/ by default). Refer to the Integrating LDAP Document for details.
|ldap_server||string||""||A list of ldap server addresses. Multiple addresses are separated with commas.|
|ldap_port||INT32||Ldap server port. If no port is specified, the default port will be used.|
|ldap_scheme||string||"ldap"||Only supports ldap.|
|ldap_tls||bool||false||Enable/disable the TLS encryption between graphd and the LDAP server.|
|ldap_suffix||string||""||Specifies the root suffix (naming context) to use for all LDAP operations.|
|ldap_basedn||string||""||The LDAP distinguished name (DN) of the search base.|
|ldap_binddn||string||""||The LDAP user who is allowed to search the base DN.|
|ldap_bindpasswd||string||""||The password of the user who is mentioned in the bind DN.|
|ldap_searchattribute||string||""||An array of the required attributes.|
|ldap_searchfilter||string||""||Specifies a search filter by defining what to search for. It is more flexible than the searchattribut.|
Error information: Authentication fails, Invalid data length¶
Authentication fails because you had not enable the authentication. Follow the preceding steps to enable the authentication.