Bug #53679 Default LDAP settings in MEM need to be updated
Submitted: 16 May 2010 3:49 Modified: 14 Jun 2010 9:30
Reporter: Jonathon Coombes Email Updates:
Status: Closed Impact on me:
Category:MySQL Enterprise Monitor: Configuration Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Mark Matthews CPU Architecture:Any
Tags: authentication, LDAP, mem, UI

[16 May 2010 3:49] Jonathon Coombes
The LDAP authentication settings in MEM 2.2 are currently using defaults that don't match the general guidelines of the latest software or the intended general usual of MEM users.

The Password Digest Mechanism defaults to MD2 which is only applicable if they are still using ldap v2 or earlier. Most people would now be using ldap v3 at least which should use MD5 or SHA1 according to RFC 3112. This option should default to MD5 based on this guideline.

The Authentication Mode is defaulting to Comparison which will try and match up a field within the ldap database after binding, usually as a predefined user. This is required if there is some customised schema or special application, but most people will want to use the "bind as user" method. 

The "Bind as user" method simply attempts to connect to the ldap server using the given username and password. If the bind is successful, then the user is authenticated, otherwise they are denied. The "bind as user" will probably suit the majority of people rather than Combined as the default, and it is simpler to define.

How to repeat:

Suggested fix:
Update the fields to new defaults.

Authentication Mode: Bind as user

Password Digest Method: MD5
[20 May 2010 14:27] Enterprise Tools JIRA Robot
Mark Matthews writes: 
Pushed to branches/2.2.
[24 May 2010 16:42] Enterprise Tools JIRA Robot
Andy Bang writes: 
In build build
[25 May 2010 3:36] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Tested with Monitor build

Not OK:
Authentication Mode is *not* defaulting to 'Bind as user' (as requested), but still to 'Comparison'. 

The Password Digest Method is now 'MD5'.
There are now two, mutually-exclusive modes for user search:
 - Search by User Distinguished Name (DN) Pattern    (checked by default)
 - Search by User Attribute Pattern
[7 Jun 2010 23:43] Enterprise Tools JIRA Robot
Andy Bang writes: 
In build
[8 Jun 2010 16:32] Enterprise Tools JIRA Robot
Marcos Palacios writes: 
Verified fixed in Monitor build (which is the first 2.2.2 build).
[14 Jun 2010 9:30] MC Brown
A note has been added to the 2.2.1 changelog: 

        The default settings for the LDAP interface for authenticating                                                                   
        users has been updated. By default, lookups are made                                                                             
        using <literal>Bind as user</literal>, and the default                                                                           
        password digest mechanism is now MD5.