At the moment if you use an LDAP user that is not a member of an LDAP group, the MySQL client authentication to vtgate will fail, even if the password is correct.
This is not strictly required by Vitess, but is leveraged to obtain group membership that can then be used in Vitess ( vttablet) ACLs. Ensure these users are part of one or more LDAP groups.An example might be a readonly user, a readwrite user, and an admin/DBA user. LDAP user entries for each of the MySQL users you want to use at the vtgate level.Obtain or add the necessary LDAP user/groups for integration with vtgate.Generate/obtain TLS certificate(s) for the vtgate server(s), and configure vtgate to use them.To configure vtgate to integrate with LDAP you will have to perform various tasks: An example is recent versions of the MySQL CLI client mysql need the additional -enable-cleartext-plugin option to allow the passing of cleartext passwords. Note that some applications might not support passing cleartext MySQL passwords without alteration or configuration. authenticate) against the LDAP server to verify the user’s password. This is required because LDAP servers do not standardize their password hashes and, as a result, a cleartext password is required by vtgate to bind (i.e. This is why it is required that the MySQL connection to vtgate be encrypted first. The application needs to be able to, and configured to, pass its password authentication using the cleartext MySQL authentication protocol.This is required because of the next point, but can be bypassed.
In this guide, we will examine the capabilities of the vtgate LDAP integration and how to configure them. You can also integrate with LDAP groups to allow ACLs to be managed using information from the LDAP server. Using this information, the LDAP passwords for a user can then be used to authenticate the same user against vtgate. LDAP : You provide the necessary details of an upstream LDAP server, along with credentials and configuration, to query it.This file can be reloaded without restarting vtgate. Static : You provide a static configuration file to vtgate with user names and plaintext passwords or mysql_native_password password hashes.Currently, Vitess supports two ways to authenticate to vtgate via the MySQL protocol: