Description:
* If we have an LDAP authenticated user connecting from remote it works.
* If we try connecting with the same user locally via Socket it does NOT work.
* If we revoke REQUIRE SSL from the user it works locally with SSL over Socket.
This behaviour looks strange to us and thus we think it could be a bug.
How to repeat:
mysql@server2> mysql -h server1 -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -P 3306 --enable-cleartext-plugin
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2591090
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
SQL> status
--------------
mysql Ver 8.0.21-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)
Current user: App1_DEV_Read_User1@server2.internal.company-group.net
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
Connection: server1 via TCP/IP
TCP port: 3306
----
mysql@server1> mysql -h server1 -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -P 3306 --enable-cleartext-plugin
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2589022
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
SQL> select user(), current_user(), @@proxy_user;
+---------------------------------------------------------+-----------------+--------------+
| user() | current_user() | @@proxy_user |
+---------------------------------------------------------+-----------------+--------------+
| App1_DEV_Read_User1@server1.internal.company-group.net | App1_DEV_Read@% | ''@'%' |
+---------------------------------------------------------+-----------------+--------------+
SQL> status
--------------
mysql Ver 8.0.21-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)
Current user: App1_DEV_Read_User1@server1.internal.company-group.net
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
Connection: server1 via TCP/IP
TCP port: 3306
SQL> show create user 'App1_DEV_Read'@'%';
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for App1_DEV_Read@% |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'App1_DEV_Read'@'%' IDENTIFIED WITH 'mysql_no_login' REQUIRE SSL PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
----
mysql@server1> mysql -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -S /u00/app/mysql/admin/mysqld1/socket/mysqld1.sock --enable-cleartext-plugin --ssl-mode=REQUIRED
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'App1_DEV_Read_User1'@'localhost' (using password: YES)
MySQL Error Log:
2020-08-27T12:21:02.821582Z 2589078 [Note] [MY-011756] [Server] Plugin authentication_ldap_simple reported: 'User is authenticated as: App1_DEV_Read external user: App1_DEV_Read'
2020-08-27T12:21:02.821693Z 2589078 [Note] [MY-011783] [Server] Plugin authentication_ldap_simple reported: 'Ldap_connection_pool::put connection in pushed in the pool'
2020-08-27T12:21:02.821815Z 2589078 [Note] [MY-011779] [Server] Plugin authentication_ldap_simple reported: 'Ldap_authentication::de_initialize putting back connection in the pool'
2020-08-27T12:21:02.821955Z 2589078 [Note] [MY-010926] [Server] Access denied for user 'App1_DEV_Read_User1'@'localhost' (using password: YES)
----
After:
ALTER USER 'App1_DEV_Read'@'%' REQUIRE NONE;
mysql@server1> mysql -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -S /u00/app/mysql/admin/mysqld1/socket/mysqld1.sock --enable-cleartext-plugin --ssl-mode=REQUIRED
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2589474
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
You are enforcing ssl connection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
SQL> status
--------------
mysql Ver 8.0.21-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)
Connection id: 2589474
Current user: App1_DEV_Read_User1@localhost
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
Connection: Localhost via UNIX socket
UNIX socket: /u00/app/mysql/admin/mysqld1/socket/mysqld1.sock
Suggested fix:
Allow LDAP authenticated user of Socket with REQUIRE SSL.