Planet MySQL

Speaking at MySQL Connect 2012

+5

-0

posted by Jonathon Coombes of team blog MySQL Support Team on Sun 26 Aug 2012 01:05 UTC
Tags:

(edit) mysql, Security, conference, authentication, auditing, mysqlconnect

At the end of September, the MySQL Connect 2012 conference will be held as part of Oracle OpenWorld in San Francisco. MySQL Connect is a two day event that allows attendees to focus on MySQL at a technical depth with presentations and interaction with many of the MySQL developers, engineers and other knowledgeable staff. There is also a range a international speakers to give broader knowledge to the presentations.

I am presenting a Hands-On Lab on Sunday 30th September 16:15 - 17:15 entitled HOL10474 - MySQL Security:

+2

-1

posted by Alexander Rubin on Mon 16 Jul 2012 18:44 UTC
Tags:

(edit) mysql, authentication, MySQL Enterprise, OpenLDAP

MySQL Enterprise 5.5 (trial version available here) includes MySQL PAM authentication plugin. In this post I will show how to configure it with the OpenLDAP and Active Directory.

MySQL PAM authentication uses Linux pam_ldap library to send the calls. To configure MySQL LDAP authentication we will need to configure pam_ldap on linux.

OpenLDAP Linux configuration

Make sure that libpam-ldap/openldap is installed. If not, on RedHat/CentOS use commands:

# yum install openldap openldap-clients

Configure /etc/ldap.conf. Sample configuration:

debug 10 # set debug level only during the initial configuration base dc=corp,dc=company_name,dc=com binddn cn=service_account,OU=Service Accounts,OU=US

[Read more...]

Windows Native Authentication for MySQL

+0

-0

posted by Rafal Somla on Tue 11 Oct 2011 03:49 UTC
Tags:

(edit) mysql, Oracle, authentication

Starting with MySQL 5.5.16 it is possible to setup a password-less connections from clients into MySQL server using Windows SSPI authentication framework. This functionality is provided by Windows Native Authentication (WNA) plugin distributed with the commercial version of 5.5.16 server. The client-side support for WNA authentication is built into the client library (libmysql) distributed with the community version of 5.5.16 server and requires no additional configuration. Clients which link to 5.5.16 or higher version of libmysql will be able to connect to MySQL accounts using WNA authentication out-of-the box.

For password-less connections to work, server's administrator must install the WNA plugin in the server and create user accounts which use this plugin for authentication. It is also possible to allow connections to existing MySQL accounts via a proxy

[Read more...]

Windows Native Authentication for MySQL

+0

-0

posted by Rafal Somla on Tue 11 Oct 2011 03:49 UTC
Tags:

(edit) mysql, Oracle, authentication

Starting with MySQL 5.5.16 it is possible to setup a password-less connections from clients into MySQL server using Windows SSPI authentication framework. This functionality is provided by Windows Native Authentication (WNA) plugin distributed with the commercial version of 5.5.16 server. The client-side support for WNA authentication is built into the client library (libmysql) distributed with the community version of 5.5.16 server and requires no additional configuration. Clients which link to 5.5.16 or higher version of libmysql will be able to connect to MySQL accounts using WNA authentication out-of-the box.

For password-less connections to work, server's administrator must install the WNA plugin in the server and create user accounts which use this plugin for authentication. It is also possible to allow connections to existing MySQL accounts via a proxy

+7

-2

posted by Georgi Kodinov on Fri 16 Sep 2011 06:42 UTC
Tags:

(edit) mysql, Oracle, Windows, authentication, pam

You probably remember the world of new possibilities introduced to MySQL 5.5. If you do, you probably would agree that no API is useful by itself.

This is why you need authentication plugins that fit the largest possible number of authentication setups.

I can only guess what these authentication solutions look like for your server. But chances are that your OS has a pretty good idea on how best to authenticate users in it. This is why we've decided to hook MySQL to the two most widely used OS authentication APIs : Pluggable Authentication Modules (a.k.a PAM) and the Windows Security Support Provider

+0

-0

posted by Georgi Kodinov on Fri 16 Sep 2011 01:42 UTC
Tags:

(edit) mysql, Oracle, Windows, authentication, pam

You probably remember the world of new possibilities introduced to MySQL 5.5. If you do, you probably would agree that no API is useful by itself.

This is why you need authentication plugins that fit the largest possible number of authentication setups.

I can only guess what these authentication solutions look like for your server. But chances are that your OS has a pretty good idea on how best to authenticate users in it. This is why we've decided to hook MySQL to the two most widely used OS authentication APIs : Pluggable Authentication Modules (a.k.a PAM) and the Windows Security Support Provider

[Read more...]

Drizzle 7 plugins

+1

-0

posted by Daniel Nichter on Sun 17 Apr 2011 21:05 UTC
Tags:

(edit) mysql, authentication, memcached, drizzle, plugin, Ronald Bradford, logging, Percona, eric day, mk-query-digest, auth_file, David Shrewsbury, logging_query

Last week I wrote about my experience compiling Drizzle 7 on Mac OS X 10.6. Then David Shrewsbury informed me of his nearly identical blog post: Installing Drizzle from source on OS X. Once Drizzle 7 was running on my box, I immediately looked to see what plugins where available because Drizzle uses a lot of plugins and they are one of its notable differences from MySQL. In my humble opinion, Drizzle’s plugins will primarily influence how database professionals evaluate and decide whether or not to use Drizzle because so many of Drizzle’s features are plugins. Therefore, let’s look briefly at some the plugins included with Drizzle 7.

The plugin directory of the Drizzle 7

+3

-0

posted by Darren Cassar on Mon 21 Mar 2011 19:00 UTC
Tags:

(edit) mysql, Linux, authentication, solaris, password, user, root, Intermediate, Mac OS, skip-grant-tables, grants, pass, user.myd

Three ways to recover a root user password:

The order of solutions here under gets more creative on the way down :)

1. obviously, before starting messing around check my.cnf or scripts for passwords entries, then try home directories for password files
2. secondly – can you restart mysql? if yes, restart with –skip-grant-tables, log into mysql, change your password and restart without –skip-grant-tables
3. third option – (on linux / unix ONLY)
If you haven’t found the password anywhere and can’t afford to restart your mysql.

cd data/mysql
cp -rp user.MYD bck_user.MYD_`date +%Y%m%d`
cp -rp user.MYD /tmp/user.MYD
vi /tmp/user.MYD #(edit the hashed passwords next to root*)
cp -rp /tmp/user.MYD user.MYD
sudo kill -HUP `pidof mysqld`

Note that the latter method of recovering a root

[Read more...]

Last Week in Drizzle

+2

-0

posted by Andrew Hutchings on Fri 11 Mar 2011 15:25 UTC
Tags:

(edit) mysql, authentication, drizzle, gsoc, engines, libdrizzle, last week in drizzle

Welcome to this week’s edition of “Last Week in Drizzle”. As an introduction this week I would like to quote John David Duncan’s recent Facebook post: “And what’s in the weather forecast for next week? Drizzle.”. Yes, our first GA release is due next week, does that mean the development pace has slowed? Heck no! Over 150,000 lines of bzr diff in the trunk since last week and quite a few branches still in the merge queue going through our extensive regression testing system.

Google Summer of Code

We have once again applied to be part of the Google Summer of Code program. We had some great students last year and some new faces interested in being students on projects for Drizzle have already started taking on some low-hanging-fruit tasks to get them used to our code and processes. We will have a sign-up form up soon so that anyone interested in

[Read more...]

Last Week in Drizzle

+0

-0

posted by Andrew Hutchings on Fri 11 Mar 2011 15:25 UTC
Tags:

(edit) mysql, authentication, drizzle, gsoc, engines, libdrizzle, last week in drizzle

Welcome to this week's edition of "Last Week in Drizzle". As an introduction this week I would like to quote John David Duncan's recent Facebook post: "And what's in the weather forecast for next week? Drizzle.". Yes, our first GA release is due next week, does that mean the development pace has slowed? Heck no! Over 150,000 lines of bzr diff in the trunk since last week and quite a few branches still in the merge queue going through our extensive regression testing system.

Google Summer of Code

We have once again applied to be part of the Google Summer of Code program. We had some great students last year and some new faces interested in being students on projects for Drizzle have already started taking on some low-hanging-fruit tasks to get them used to our code and processes. We will have a sign-up form up soon so that anyone interested in being part of the

[Read more...]

MySQL 5.5 brings in new ways to authenticate users

+12

-0

posted by Georgi Kodinov on Mon 03 Jan 2011 14:05 UTC
Tags:

(edit) mysql, authentication, wl1054

Ever wanted to use your server's OS for authenticating MySQL users ? Or the corporate LDAP repository ?Unfortunately options like the above are plentiful nowadays. And providing hard-coded support for protocol X or service Y is not the best possible idea.
MySQL 5.5 has taken the step into the right direction by providing an infrastructure allowing one to make the server understand different authentication protocols by creating a set of simple plugins (one for the client and one for the server).So now you can easily extend MySQL to search for and authenticate users in your favorite user directory.In fact the API supplied is so versatile that we took the possibility to re-design the current "native" authentication mechanism into a built-in always-on plugin !
OK, let me give you an example:
Imagine we have a bunch of users defined in your OS, e.g. we have a user

[Read more...]

MySQL 5.5 brings in new ways to authenticate users

+0

-0

posted by Georgi Kodinov on Mon 03 Jan 2011 14:05 UTC
Tags:

(edit) mysql, authentication

Ever wanted to use your server's OS for authenticating MySQL users ? Or the corporate LDAP repository ?

Unfortunately options like the above are plentiful nowadays. And providing hard-coded support for protocol X or service Y is not the best possible idea. MySQL 5.5 has taken the step into the right direction by providing an infrastructure allowing one to make the server understand different authentication protocols by creating a set of simple plugins (one for the client and one for the server). So now you can easily extend MySQL to search for and authenticate users in your favorite user directory. In fact the API supplied is so versatile that we took the possibility to re-design the current "native" authentication mechanism into a built-in always-on plugin ! OK, let me give you an example: Imagine we have a bunch of users [Read more...]

MySQL 5.5 brings in new ways to authenticate users

+0

-0

posted by Georgi Kodinov on Mon 03 Jan 2011 12:05 UTC
Tags:

(edit) mysql, authentication

Ever wanted to use your server's OS for authenticating MySQL users ? Or the corporate LDAP repository ? Unfortunately options like the above are plentiful nowadays. And providing hard-coded support for protocol X or service Y is not the best possible idea. MySQL 5.5 has taken the step into the right direction by providing an infrastructure allowing one to make the server understand different authentication protocols by creating a set of simple plugins (one for the client and one for the server). So now you can easily extend MySQL to search for and authenticate users in your favorite user directory. In fact the API supplied is so versatile that we took the possibility to re-design the current "native" authentication mechanism into a built-in always-on plugin ! OK, let me give you an example: Imagine we have a bunch [Read more...]

MySQL 5.5 brings in new ways to authenticate users

+0

-0

posted by Georgi Kodinov on Mon 03 Jan 2011 06:05 UTC
Tags:

(edit) mysql, authentication

Ever wanted to use your server's OS for authenticating MySQL users ? Or the corporate LDAP repository ? Unfortunately options like the above are plentiful nowadays. And providing hard-coded support for protocol X or service Y is not the best possible idea. MySQL 5.5 has taken the step into the right direction by providing an infrastructure allowing one to make the server understand different authentication protocols by creating a set of simple plugins (one for the client and one for the server). So now you can easily extend MySQL to search for and authenticate users in your favorite user directory. In fact the API supplied is so versatile that we took the possibility to re-design the current "native" authentication mechanism into a built-in always-on plugin ! OK, let me give you an example: Imagine we have a [Read more...]

MySQL 5.5 Authentication Goodies

+3

-0

posted by Dave Stokes on Mon 29 Nov 2010 23:53 UTC
Tags:

(edit) mysql, authentication, ldap

MySQL 5.5 is currently in the Release Candidate phase and making good
progress on the way to being a Generally Available release. There
are many new features that will improve performance, make service
more robust, and generally make life better for DBAs. But since
5.5.7 was released for evaluation in October, there has not been a
lot of attention given to the changes in authentication.

To greatly simplify, MySQL has a table with a list of users and a
list of hosts from which those users are allowed access. So user
'jones' and the host they connect from are checked to make sure they
are allowed access. If they match, they can access the instance.

As of 5.5.7, MySQL authentication now supports pluggable
authentication and proxies. So now you can use PAM, Windows native
authentication, LDAP,

[Read more...]

MySQL 5.5.7 - Can we trust it being RC, or?

+7

-5

posted by Anders Karlsson on Wed 10 Nov 2010 21:00 UTC
Tags:

(edit) mysql, authentication, plugin

I just saw that MySQL 5.5.7 RC had been released, and reading the releasenotes made me more than a fair bit suspicious. In some kind of general agreement on what constitutes a "beta" release, this is when the software has reached a level of maturity when no more major features are to be introduced. MySQL (and many others) has broken that rule at times, and the rule is not enforced or something.

What constitutes an RC release though, in my mind, but I really want to know what you think, is software that is really 100% feature complete. There may be, but hopefully there aren't, even any major bugs to iron out. In short, it is "A Candidate to Release", and as close to GA as you can get. I have not seen this rule broken much, really.

With MySQL 5.5.7, this is an rc, as was the previous release, 5.5.6, and this time there is a really major

[Read more...]

Understanding Drizzle user authentication options – Part 2

+2

-1

posted by Ronald Bradford on Fri 12 Mar 2010 22:45 UTC
Tags:

(edit) mysql, Databases, Professional, authentication, drizzle

A key differentiator in Drizzle from it’s original MySQL (http://mysql.com) roots is user based authentication. Gone is the host/user and schema/table/column model that was stored in the MyISAM based mysql.user table.

Authentication is now completely pluggable, leveraging existing systems such as PAM, LDAP via PAM and Http authentication.

In this post I’ll talk about HTTP authentication which requires an external http server to implement successfully. You can look at Part 1 for PAM

+0

-0

posted by Stefan Hinz on Tue 23 Feb 2010 16:30 UTC
Tags:

(edit) mysql, Security, sun, authentication, university, login, grant, roles, securich, role, grants, permission

This Thursday (February 25th, 13:00 UTC - way earlier than usual!), Darren Cassar will present Securich - Security Plugin for MySQL. According to Darren, the author of the plugin, Securich is an incredibly handy and versatile tool for managing user privileges on MySQL through the use of roles. It basically makes granting and revoking rights a piece of cake, not to mention added security it provides through password expiry and password history, the customization level it permits, the fact that it runs on any MySQL 5.0 or later and it's easily deployable on any official MySQL binary, platform independent.
More information here:

+0

-0

posted by Stefan Hinz on Tue 23 Feb 2010 08:30 UTC
Tags:

(edit) mysql, Security, sun, authentication, university, login, grant, roles, securich, role, grants, permission

This Thursday (February 25th, 13:00 UTC - way earlier than usual!), Darren Cassar will present Securich - Security Plugin for MySQL. According to Darren, the author of the plugin, Securich is an incredibly handy and versatile tool for managing user privileges on MySQL through the use of roles. It basically makes granting and revoking rights a piece of cake, not to mention added security it provides through password expiry and password history, the customization level it permits, the fact that it runs on any MySQL 5.0 or later and it's easily deployable on any official MySQL binary, platform independent.
More information here:

+0

-0

posted by Stefan Hinz on Tue 23 Feb 2010 08:30 UTC
Tags:

(edit) mysql, Security, sun, authentication, university, login, grant, roles, securich, role, grants, permission

This Thursday (February 25th, 13:00 UTC - way earlier than usual!), Darren Cassar will present Securich - Security Plugin for MySQL. According to Darren, the author of the plugin, Securich is an incredibly handy and versatile tool for managing user privileges on MySQL through the use of roles. It basically makes granting and revoking rights a piece of cake, not to mention added security it provides through password expiry and password history, the customization level it permits, the fact that it runs on any MySQL 5.0 or later and it's easily deployable on any official MySQL binary, platform independent.
More information here:

+0

-0

posted by Sun Partner Technology on Sun 27 Dec 2009 07:00 UTC
Tags:

(edit) mysql, Web, Security, authentication, zfs, web2.0, SSL, Technology Tid Bits, certificat, encryption, https

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>

Reminder: Tech Webinar on Security for Web Application

+0

-0

posted by Sun Partner Technology on Sun 27 Dec 2009 05:00 UTC
Tags:

(edit) mysql, Web, Security, authentication, zfs, web2.0, SSL, Technology Tid Bits, certificat, encryption, https

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>

Reminder: Tech Webinar on Security for Web Application

+0

-0

posted by Sun Partner Technology on Sat 26 Dec 2009 23:00 UTC
Tags:

(edit) mysql, Web, Security, authentication, zfs, web2.0, SSL, Technology Tid Bits, certificat, encryption, https

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>

Tech Webinar: Security for Web Application

+0

-0

posted by Sun Partner Technology on Tue 08 Dec 2009 11:54 UTC
Tags:

(edit) mysql, Web, Security, authentication, zfs, web2.0, SSL, Technology Tid Bits, certificat, encryption, https

Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>

Tech Webinar: Security for Web Application

+0

-0

posted by Sun Partner Technology on Tue 08 Dec 2009 09:54 UTC
Tags:

(edit) mysql, Web, Security, authentication, zfs, web2.0, SSL, Technology Tid Bits, certificat, encryption, https

Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>

Tech Webinar: Security for Web Application

+0

-0

posted by Sun Partner Technology on Tue 08 Dec 2009 09:54 UTC
Tags:

(edit) mysql, Web, Security, authentication, zfs, web2.0, SSL, Technology Tid Bits, certificat, encryption, https

Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>

MySQL anonymous accounts – User=”, Host=’%’ – CODE RED

+0

-0

posted by Darren Cassar on Mon 05 Oct 2009 13:50 UTC
Tags:

(edit) mysql, Security, authentication, Beginner, %, accounts, anonymous, threat, usernames

I want to highlight the importance of reviewing mysql’s initial set of accounts.
Say you have a mysql on abc.def.ghi.jkl running on port 3306 anonymous account with privileges without a password, then:
1. mysql (if issued on localhost)
2. mysql -h abc.def.ghi.jkl
3. mysql -u ” -h abc.def.ghi.jkl
4. mysql -u ” -h abc.def.ghi.jkl -P 3306
5. mysql -u user_which_does_not_exist -h abc.def.ghi.jkl

will all manage to get into mysql given the way mysql authenticates users is against your username and client host from where you are connecting.

This verification is done versus the following columns in the mysql.user table, i.e., User,Host and Password columns.
An entry in the mysql.user table with the following values User=”, Host=’%’ will accept ANY user connecting from ANYWHERE

[Read more...]

’strings’ to the rescue

+3

-2

posted by Sheeri K. Cabral on Sat 29 Aug 2009 20:55 UTC
Tags:

(edit) mysql, authentication, Pythian, user, grep, strings

A broken VIEW was caused by the view’s definer being non-existent. In this particular system, backups are done by replicating all the machines (production, development, test, etc) to one server and doing cold physical backups off that server, which currently has 12 instances running.

So in order to find on what machine the user might still be defined, I went to the backup server. All the data directories are in one path, ie:

instance 1 has a datadir of /data/mysql/instance1
instance 2 has a datadir of /data/mysql/instance2

Now, the unix tool strings can be used against many types of files. In particular, though, you can use strings on the mysql/user.MYD file to see the username, host, and password hash. (note that strings only shows strings longer than 3 characters, so if your host or username is 3 characters or less,

[Read more...]

MySQL Proxy: Roles

+2

-0

posted by Jan Kneschke on Wed 24 Jun 2009 22:00 UTC
Tags:

(edit) mysql, authentication, proxy, roles

On the MySQL Proxy channel we get questions from time to time if the authentication can be intercepted and replaced data from a external source.

From now on, you can. For example if you want to get data from a external source (like LDAP) or want to implement roles.

Mapping Accounts to “Roles”

There isn’t much needed to implement Roles for MySQL with the help of the MySQL Proxy.

mysql.user doesn’t contain users, but roles instead
the proxy maps user-accounts to role-accounts with a script like above

It works like this:

login to the proxy

 $ mysql --user=jan --password=secret --port=4040

proxy looks up username password, finds a role for him

proxy replaces credentials ad hoc

mysql-server sees the role-name and

[Read more...]

MEM and HTTP Proxy Not Compatible

+1

-0

posted by Jonathon Coombes on Mon 25 May 2009 05:01 UTC
Tags:

(edit) mysql, authentication, monitoring, proxy, MEM, Merlin, libcurl

A bug in libcurl affects how the heartbeat function of MySQL Enterprise Monitor works by sending it to an external website, often www.agent.com.

Search

Profile

Top Voted (Last Week)

Top Voted (Last Month)

Top 20 Most Active Authors

Top 10 Most Active Team Blogs

Oracle MySQL Blogs

MySQL Links

Other Links

Planetarium

OpenLDAP Linux configuration

Google Summer of Code

Google Summer of Code