Skip to content

LDAP SASL system variables

Authentication system variables

Percona 8.0.30-22 adds LDAP_SASL variables and the fallback server variables for simple LDAP and SASL-based LDAP.

The installation adds the following variables:

Variable name Description
authentication_ldap_sasl_bind_base_dn Base distinguished name
authentication_ldap_sasl_bind_root_dn Root distinguished name
authentication_ldap_sasl_bind_root_dn_pwd Password for the root distinguished name
authentication_ldap_sasl_ca_path Absolute path of the certificate authority
authentication_ldap_sasl_fallback_server_host If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server
authentication_ldap_sasl_fallback_server_port The port number for the fallback server
authentication_ldap_sasl_group_role_mapping A list of LDAP group names - MySQL role pairs
authentication_ldap_sasl_group_search_attr Name of the attribute that specifies the group names in the LDAP directory entries
authentication_ldap_sasl_group_search_filter Custom group search filter
authentication_ldap_sasl_init_pool_size Initial size of the connection pool to the LDAP server
authentication_ldap_sasl_log_status logging level
authentication_ldap_sasl_max_pool_size Maximum size of the pool of connections to the LDAP server
authentication_ldap_sasl_server_host LDAP server host
authentication_ldap_sasl_server_port LDAP server TCP/IP port number
authentication_ldap_sasl_ssl If plugin connections to the LDAP server use the SSL protocol (ldaps://)
authentication_ldap_sasl_tls If plugin connections to the LDAP server are secured with STARTTLS (ldap://)
authentication_ldap_sasl_user_search_attr Name of the attribute that specifies user names in the LDAP directory entries

The following variables are described in detail:


Option Description
Command-line –authentication-ldap-sasl-bind-base-dn=value
Scope Global
Dynamic Yes
Data type String
Default NULL

The base distinguished name (DN) for SASL-based LDAP authentication. You can limit the search scope by using the variable as the base of the search.


Option Description
Command-line –authentication-ldap-sasl-bind-root-dn=value
Scope Global
Dynamic Yes
Data type String
Default NULL

The root distiguished name (DN) used to authenticate SASL-based LDAP. When performing a search, this variable is used with authentication_ldap_sasl_bind_root_pwd as the authenticating credentials to the LDAP server.


Option Description
Command-line –authentication-ldap-sasl-bind-root-pwd=value
Scope Global
Dynamic Yes
Data type String
Default NULL

The root password used to authenticate against SASL-based LDAP server. This variable is used with authentication_ldap_sasl_bind_root_dn.


Option Description
Command-line –authentication-ldap-sasl-ca_path=value
Scope Global
Dynamic Yes
Data type String
Default NULL

The certificate authority’s absolute path used to verify the LDAP certificate.


Option Description
Command-line –authentication-ldap-sasl-fallback-server-host
Scope Global
Dynamic Yes
Type Sting
Default NULL

Use with authentication_ldap_sasl_fallback_server_port.

If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server and authenticate using that server.


Option Description
Command-line –authentication-ldap-sasl-fallback-server-port
Scope Global
Dynamic Yes
Type Integer
Default NULL

Use with authentication_ldap_sasl_fallback_server_host.

If the primary server is unavailable, the authentication plugin attempts to connect to the fallback server and authenticate using that server.

If the fallback server host has a value, and the fallback port is 0, users can specify multiple fallback servers.

Use this format to specify multiple fallback servers: authentication_ldap_sasl_fallback_server_host="ldap(s)://host:port,ldap(s)://host2:port2, for example.


Option Description
Command-line –authentication-ldap-sasl-group-role-mapping=value
Scope Global
Dynamic Yes
Data type String
Default Null

When an LDAP user logs in, the server checks if the LDAP user is a member of the specified group. If the user is, then the server automatically grants the database server roles to the user.

The variable has this format: <ldap_group>=<mysql_role>,<ldap_group2>=<mysql_role2>,.


Option Description
Command-line –authentication-ldap-sasl-group-search-attr=value
Scope Global
Dynamic Yes
Data type String
Default cn

The attribute name that specifies group names in the LDAP directory entries for SASL-based LDAP authentication.


Option Description
Command-line –authentication-ldap-sasl-group-search-filter=value
Scope Global
Dynamic Yes
Data type String
Default (|(&(objectClass=posixGroup)(memberUid=%s))(&(objectClass=group)(member=%s)))

The custom group search filter for SASL-based LDAP authentication.


Option Description
Command-line –authentication-ldap-sasl-init-pool-size=value
Scope Global
Dynamic Yes
Data type Integer
Default 10
Minimum value 0
Maximum value 32767
Unit connections

The initial size of the connection pool to the LDAP server for SASL-based LDAP authentication.


Option Description
Command-line –authentication-ldap-sasl-log-status=value
Scope Global
Dynamic Yes
Data type Integer
Default 1
Minimum value 1
Maximum value 6

The logging level for messages written to the error log for SASL-based LDAP authentication.


Option Description
Command-line –authentication-ldap-sasl-max-pool-size=value
Scope Global
Dynamic Yes
Data type Integer
Default 1000
Minimum value 0
Maximum value 32767
Unit connections

The maximum connection pool size to the LDAP server in SASL-based LDAP authentication. The variable is used with authentication_ldap_sasl_init_pool_size.


Option Description
Command-line –authentication-ldap-sasl-server-host=value
Scope Global
Dynamic Yes
Data type String
Default NULL

The LDAP server host used for SASL-based LDAP authentication. The LDAP server host can be an IP address or a host name.


Option Description
Command-line –authentication-ldap-sasl-server-port=value
Scope Global
Dynamic Yes
Data type Integer
Default 389
Minimum value 1
Maximum value 32376

The LDAP server TCP/IP port number used for SASL-based LDAP authentication.


Option Description
Command-line –authentication-ldap-sasl-ssl=value
Scope Global
Dynamic Yes
Data type Boolean
Default OFF

If this variable is enabled, the plugin connects to the server with SSL.


Option Description
Command-line –authentication-ldap-sasl-tls=value
Scope Global
Dynamic Yes
Data type Boolean
Default OFF

If this variable is enabled, the plugin connects to the server with TLS.


Option Description
Command-line –authentication-ldap-sasl-user-search-attr=value
Scope Global
Dynamic Yes
Data type String
Default uid

The attribute name that specifies the user names in LDAP directory entries in SASL-based LDAP authentication.

For more details, see the LDAP Authentication documentation.

Last update: 2025-03-17