11 November 2010, 13:12

Second release candidate of MySQL 5.5 with alternative authentication

MySQL Logo Six weeks after the first release candidate of MySQL 5.5 arrived, Oracle has published a second RC – version number 5.5.7. For the first time, it contains a technology to connect alternative authentication methods. Up to now, MySQL only had proprietary user management and therefore could not be used with common UNIX mechanisms, such as PAM, or with central directory services, such as LDAP, for log-ins.

The release notes for MySQL 5.5.7 lists the following examples for the supported authentication procedures: Kerberos, Windows log-in IDs, PAM and LDAP. There are also "proxy users": a MySQL user who only exists for log-ons via a plug-in and can be assigned to another user via the new GRANT PROXY . The documentation says that this option can be used to pass on the user names and passwords to another service for authentication, which then sends the name of the database user back to the MySQL server. Now, for example, user groups, such as "developers," can be defined. Details on the architecture and implementation of the technology are available online .

Two plug-ins are also provided. Both still have user management exclusively within MySQL, one with the short passwords common up to version 4.1.1, and the other with the longer ones currently used. However, this innovation also has side effects; if you want to use version 5.5.7, or later, of the server, you also have to have clients with at least this version, for older ones can no longer connect to the new server because of the authentication plug-ins. Internal tables have to be updated with mysql_upgrade if you want to upgrade from a previous version (even from the 5.5 series).

The recently published version 5.2 of MySQL fork MariaDB also uses plug-ins for external authentication. One of them allows registered UNIX users to work with the database without having to enter their user name and password again.

See also: