无法使用 mariadb gssapi 连接到 php 中的数据库，客户端未知的身份验证方法

Posted 2023-02-25

【中文标题】无法使用 mariadb gssapi 连接到 php 中的数据库，客户端未知的身份验证方法

【英文标题】：Not able to connect to DB in php with mariadb gssapi, authentication method unknown to client

【发布时间】：2021-01-29 20:46:58

【问题描述】：

我正在尝试在使用 xampp 的本地安装上使用 php 中的 mariadb gssapi 插件通过 gssapi 对用户进行身份验证。我已经设置了 xampp 和一个可以工作的本地安装。现在我想通过使用 windows ldap 用户和 gssapi 身份验证连接到数据库。

问题在这里以某种方式进行了讨论，但没有任何结果： GSSAPI-Auth with PHP to MariaDB (Windows)

mariadb 的 gssapi 身份验证似乎有效。我在 phpmyadmin 中使用身份验证方法 = gssapi 创建了一个用户。在 CLI 中我可以连接，见下图：

Successful mysql connect with domain user

现在尝试连接时

if (($dbcon=mysqli_connect("localhost","$mysql_userid","$password"))===FALSE) 
    exit("4:Login process failed while connecting to database");
    echo "Debug-Fehlermeldung: " . mysqli_connect_error . PHP_EOL;
else
    $auth_result=TRUE;

我收到以下错误：

Warning: mysqli_connect(): The server requested authentication method unknown to the client [auth_gssapi_client] in C:\xampp\htdocs\oa5-maria\trunk\login.php on line 82

Warning: mysqli_connect(): (HY000/2054): The server requested authentication method unknown to the client in C:\xampp\htdocs\oa5-maria\trunk\login.php on line 82
4:Login process failed while connecting to database

我在 my.ini 文件中设置了 default-authentication-plugin=gssapi。但我不知道这是否是正确的方法。

你有什么解决这个问题的建议吗？

这是我的 my.ini 文件：

# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
#
# You can copy this file to
# C:/xampp/mysql/bin/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is C:/xampp/mysql/data) or
# ~/.my.cnf to set user-specific options.
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.

# The following options will be passed to all MySQL clients
[client]
# password       = your_password 
port=3306
socket="C:/xampp/mysql/mysql.sock"


# Here follows entries for some specific programs 

# The MySQL server
default-character-set=utf8mb4
[mysqld]
port=3306
socket="C:/xampp/mysql/mysql.sock"
basedir="C:/xampp/mysql"
tmpdir="C:/xampp/tmp"
datadir="C:/xampp/mysql/data"
pid_file="mysql.pid"
# enable-named-pipe
key_buffer=16M
max_allowed_packet=200M
sort_buffer_size=512K
net_buffer_length=8K
read_buffer_size=256K
read_rnd_buffer_size=512K
myisam_sort_buffer_size=8M
log_error="mysql_error.log"
#neu für authentifizierung
default-authentication-plugin=gssapi

# Change here for bind listening
# bind-address="127.0.0.1" 
# bind-address = ::1          # for ipv6

# Where do all the plugins live
plugin_dir="C:/xampp/mysql/lib/plugin/"

# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
# 
# commented in by lampp security
#skip-networking
#skip-federated

# Replication Master Server (default)
# binary logging is required for replication
# log-bin deactivated by default since XAMPP 1.4.11
#log-bin=mysql-bin

# required unique id between 1 and 2^32 - 1
# defaults to 1 if master-host is not set
# but will not function as a master if omitted
server-id   =1

# Replication Slave (comment out master section to use this)
#
# To configure this host as a replication slave, you can choose between
# two methods :
#
# 1) Use the CHANGE MASTER TO command (fully described in our manual) -
#    the syntax is:
#
#    CHANGE MASTER TO MASTER_HOST=<host>, MASTER_PORT=<port>,
#    MASTER_USER=<user>, MASTER_PASSWORD=<password> ;
#
#    where you replace <host>, <user>, <password> by quoted strings and
#    <port> by the master's port number (3306 by default).
#
#    Example:
#
#    CHANGE MASTER TO MASTER_HOST='125.564.12.1', MASTER_PORT=3306,
#    MASTER_USER='joe', MASTER_PASSWORD='secret';
#
# OR
#
# 2) Set the variables below. However, in case you choose this method, then
#    start replication for the first time (even unsuccessfully, for example
#    if you mistyped the password in master-password and the slave fails to
#    connect), the slave will create a master.info file, and any later
#    change in this file to the variables' values below will be ignored and
#    overridden by the content of the master.info file, unless you shutdown
#    the slave server, delete master.info and restart the slaver server.
#    For that reason, you may want to leave the lines below untouched
#    (commented) and instead use CHANGE MASTER TO (see above)
#
# required unique id between 2 and 2^32 - 1
# (and different from the master)
# defaults to 2 if master-host is set
# but will not function as a slave if omitted
#server-id       = 2
#
# The replication master for this slave - required
#master-host     =   <hostname>
#
# The username the slave will use for authentication when connecting
# to the master - required
#master-user     =   <username>
#
# The password the slave will authenticate with when connecting to
# the master - required
#master-password =   <password>
#
# The port the master is listening on.
# optional - defaults to 3306
#master-port     =  <port>
#
# binary logging - not required for slaves, but recommended
#log-bin=mysql-bin


# Point the following paths to different dedicated disks
#tmpdir = "C:/xampp/tmp"
#log-update = /path-to-dedicated-directory/hostname

# Uncomment the following if you are using BDB tables
#bdb_cache_size = 4M
#bdb_max_lock = 10000

# Comment the following if you are using InnoDB tables
#skip-innodb
innodb_data_home_dir="C:/xampp/mysql/data"
innodb_data_file_path=ibdata1:10M:autoextend
innodb_log_group_home_dir="C:/xampp/mysql/data"
#innodb_log_arch_dir = "C:/xampp/mysql/data"
## You can set .._buffer_pool_size up to 50 - 80 %
## of RAM but beware of setting memory usage too high
innodb_buffer_pool_size=16M
## Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size=5M
innodb_log_buffer_size=8M
innodb_flush_log_at_trx_commit=1
innodb_lock_wait_timeout=50

## UTF 8 Settings
#init-connect=\'SET NAMES utf8\'
#collation_server=utf8_unicode_ci
#character_set_server=utf8
#skip-character-set-client-handshake
#character_sets-dir="C:/xampp/mysql/share/charsets"
sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,NO_ENGINE_SUBSTITUTION
log_bin_trust_function_creators=1

character-set-server=utf8mb4
collation-server=utf8mb4_general_ci
[mysqldump]
max_allowed_packet=16M

[mysql]
# Remove the next comment character if you are not familiar with SQL
#safe-updates

[isamchk]
key_buffer=20M
sort_buffer_size=20M
read_buffer=2M
write_buffer=2M

[myisamchk]
key_buffer=20M
sort_buffer_size=20M
read_buffer=2M
write_buffer=2M

[mysqlhotcopy]

lower_case_table_names=0

【参考方案1】：

您的客户端和 PHP 之间的区别在于，客户端链接到 libmariadb（因此能够加载 auth_gssapi_plugin，而 mysqli 链接到 libmysql 或 PHP 的内部 mysqlnd 驱动程序。

除了 Kerberos/GSSAPI MariaDB 还提供了 libmysql 和 mysqlnd 不支持的 ed25519 和 pam 身份验证（通过对话框插件）。

不幸的是，针对 MariaDB Connector/C 构建 ext/mysqli 不起作用，并且最近修复该问题的拉取请求被拒绝。

【讨论】：

感谢您的信息。我不确定我是否理解正确。这是否意味着我必须尝试使用​​例如pam auth 让它工作？或者有没有其他方法可以使用 LDAP auth 连接到数据库？

Afaik LDAP 身份验证仅由 MySQL 企业服务器/客户端支持。你可以在你的配置中省略 default_authentication_plugin 并且使用默认的 mysql_native_password。

但是我没有使用 mysql，我使用的是 mariadb。这就是我们计划从 mysql 切换到 mariadb 的原因。我不可能是第一个尝试使用带有 mariadb 的 php 应用程序通过 ldap 进行身份验证的人，是吗？

您已经在 qour 问题中写道，您正在使用 MariaDB。在我的回答中，有什么不清楚为什么您不能将这些身份验证方法与 PHP 一起使用？

不确定您的回答是否明确“否”，但我现在明白这是不可能的。不管怎么说，还是要谢谢你。在我尝试调查其他方法之前，您对我有什么建议吗？是否可以使用 postgresql 数据库？我知道 php 中有 pg_pconnect 函数，但这是否适用于 postgresql 数据库中的 ldap auth 用户？