Description:
We cannot connect with MySQL CLI client (mysql) to server with LDAP/SASL authentication.

Getting nonsense error mesage:
ERROR 2000 (HY000): Unknown MySQL error

O/S side everything seems to work.

How to repeat:
* Kerberos on O/S level (OK):

shell> vastool klist
klist: No ccache exists with name: FILE:/tmp/krb5cc_8800

shell> vastool kinit App1_DEV_Read_User1@BASE.INT
Password for app1_dev_read_user1@BASE.INT:

shell> vastool klist
Credentials cache: FILE:/tmp/krb5cc_8800
        Principal: app1_dev_read_user1@BASE.INT
 
  Issued           Expires          Principal
Jan  7 10:07:23  Jan  7 20:07:23  krbtgt/BASE.INT@BASE.INT

shell> /usr/bin/ldapsearch -h base.int -Y GSSAPI -b "OU=Test,DC=base,DC=int" > /dev/null
SASL/GSSAPI authentication started
SASL username: app1_dev_write_user1@BASE.INT
SASL SSF: 256
SASL data security layer installed.
 

* Linux syslog messages (OK):
 
Jan  7 10:15:08 mtzhldgiam05 ldapsearch: GSSAPI client step 1
Jan  7 10:15:08 mtzhldgiam05 ldapsearch: GSSAPI client step 1
Jan  7 10:15:08 mtzhldgiam05 ldapsearch: GSSAPI client step 1
Jan  7 10:15:08 mtzhldgiam05 ldapsearch: GSSAPI client step 2
Jan  7 10:15:08 mtzhldgiam05 ldapsearch: DIGEST-MD5 common mech free

* Supported Mechanisms of the AD/LDAP:
 
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

----

* Kerberos/SASL authentication with mysql CLI

shell> mysql --version
mysql  Ver 8.0.22-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)

shell> mysql -h mtzhldgiam05 --plugin-dir=/u00/app/mysql/product/latest/lib/plugin/ --default-auth=authentication_ldap_sasl_client
ERROR 2000 (HY000): Unknown MySQL error

shell> vastool klist
Credentials cache: FILE:/tmp/krb5cc_8800
        Principal: app1_dev_read_user1@BASE.INT
 
  Issued           Expires          Principal
Jan  7 10:07:23  Jan  7 20:07:23  krbtgt/BASE.INT@BASE.INT

shell> mysql -h mtzhldgiam05 --default-auth=authentication_ldap_sasl_client --plugin-dir=/u00/app/mysql/product/latest/lib/plugin/ --user=App1_DEV_Write_User1@BASE.INT --password
Enter password:
ERROR 2000 (HY000): Unknown MySQL error

Somehow it looks like the basic authentication works (switch from read to write user):

shell> vastool klist
Credentials cache: FILE:/tmp/krb5cc_8800
        Principal: App1_DEV_Write_User1@BASE.INT
 
  Issued           Expires          Principal
Jan  7 10:12:02  Jan  7 20:12:02  krbtgt/BASE.INT@BASE.INT

* Linux syslog messages (from mysql CLI on client side):

Jan  7 10:02:48 mtzhldgiam01 mysql: Attempt to disable security layers (maxoutbuf == 0) with min_ssf > 0
Jan  7 10:02:48 mtzhldgiam01 mysql: No worthy mechs found
 
 
* Strace of this part:

29554 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
29554 connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
29554 sendto(4, "<37>Jan  7 10:19:53 mysql: Attem"..., 95, MSG_NOSIGNAL, NULL, 0) = 95
29554 sendto(4, "<37>Jan  7 10:19:53 mysql: No wo"..., 48, MSG_NOSIGNAL, NULL, 0) = 48
29554 shutdown(3, SHUT_RDWR)            = 0 -> 3 = MySQL Server
29554 close(3)                          = 0
 
* MySQL Server Error Log 
  
 
2021-01-07T09:13:22.009827Z 83936 [Note] [MY-011754] [Server] Plugin authentication_ldap_sasl reported: 'Setting LDAP user name as : App1_DEV_Write_User1@BASE.INT'
2021-01-07T09:13:22.010054Z 83936 [Note] [MY-011795] [Server] Plugin authentication_ldap_sasl reported: 'LDAP authentication started for user name: App1_DEV_Write_User1@BASE.INT'
2021-01-07T09:13:22.010172Z 83936 [Note] [MY-011791] [Server] Plugin authentication_ldap_sasl reported: 'Sending authentication method to client : GSSAPI'
2021-01-07T09:13:22.010317Z 83936 [Note] [MY-013342] [Server] Plugin authentication_ldap_sasl reported: 'Get user proxy: configured mapping info:   App2_QA_Admin=App2_QA_Admin,App2_QA_Write=App2_QA_Write,App2_QA_Read=App2_QA_Read,MySQLTestGroup-Read=App2_QA_Read'
2021-01-07T09:13:22.010433Z 83936 [Note] [MY-011755] [Server] Plugin authentication_ldap_sasl reported: 'User authentication data: +OU=Test,DC=base,DC=int#  App2_QA_Admin=App2_QA_Admin,App2_QA_Write=App2_QA_Write,App2_QA_Read=App2_QA_Read,MySQLTestGroup-Read=App2_QA_Read size: 140'
2021-01-07T09:13:22.010541Z 83936 [Note] [MY-011778] [Server] Plugin authentication_ldap_sasl reported: 'Ldap_authentication::initialize: getting connection from pool. '
2021-01-07T09:13:22.010646Z 83936 [Note] [MY-011252] [Server] Plugin authentication_ldap_sasl reported: 'Checking if re-initialization of connection pool is required.'
2021-01-07T09:13:22.010777Z 83936 [Note] [MY-011788] [Server] Plugin authentication_ldap_sasl reported: ' Ldap_connection_pool::get pooled connection key: 16099270622384178'
2021-01-07T09:13:22.010897Z 83936 [Note] [MY-011252] [Server] Plugin authentication_ldap_sasl reported: 'Processing LDAP SASL step.'
2021-01-07T09:13:22.036349Z 83936 [ERROR] [MY-011776] [Server] Plugin authentication_ldap_sasl reported: 'Plug-in has failed to read the packet from client'
ldap_err2string
2021-01-07T09:13:22.036430Z 83936 [ERROR] [MY-011798] [Server] Plugin authentication_ldap_sasl reported: 'LDAP authentication failed or group retrieval failed:  LDAP error: Operations error'
2021-01-07T09:13:22.036446Z 83936 [Note] [MY-011783] [Server] Plugin authentication_ldap_sasl reported: 'Ldap_connection_pool::put connection in pushed in the pool'
2021-01-07T09:13:22.036467Z 83936 [Note] [MY-011779] [Server] Plugin authentication_ldap_sasl reported: 'Ldap_authentication::de_initialize putting back connection in the pool'
2021-01-07T09:13:22.036496Z 83936 [Note] [MY-010914] [Server] Got an error reading communication packets

Suggested fix:
Make authentication work.

Hello Oli,
Can you please enable the client side logging and attach the logs?

Commands to execute in the terminal and thn run mysql client.
AUTHENTICATION_LDAP_CLIENT_LOG="5"
export AUTHENTICATION_LDAP_CLIENT_LOG

Thanks!

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

SR 3-24899082951