{"id":717,"date":"2013-01-30T13:21:14","date_gmt":"2013-01-30T11:21:14","guid":{"rendered":"http:\/\/www.identitycosmos.com\/?p=717"},"modified":"2013-01-30T13:21:14","modified_gmt":"2013-01-30T11:21:14","slug":"authentification-kerberos-sur-mysql-mariadb","status":"publish","type":"post","link":"https:\/\/identitycosmos.com\/index.php\/2013\/01\/30\/authentification-kerberos-sur-mysql-mariadb\/","title":{"rendered":"Authentification Kerberos sur MySQL &#038; MariaDB"},"content":{"rendered":"<p><a href=\"http:\/\/www.identitycosmos.com\/http:\/www.identitycosmos.com\/technique\/authentification-kerberos-sur-mysql-mariadb\/attachment\/mysql_mariadb\" rel=\"attachment wp-att-718\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-718\" alt=\"mysql_mariadb\" src=\"http:\/\/www.identitycosmos.com\/wp-content\/uploads\/2013\/01\/mysql_mariadb-240x300.png\" width=\"240\" height=\"300\" \/><\/a>Le protocole Kerberos est certainement le protocole le plus adapt\u00e9 pour g\u00e9rer l&#8217;authentification des utilisateurs sur un r\u00e9seau d&#8217;entreprise. Il est relativement simple d&#8217;ins\u00e9rer les syst\u00e8mes (au sens OS du terme) au sein de royaumes Kerberos (MIT, HEIMDAL ou Active Directory) gr\u00e2ce notamment \u00e0 des suites logicielles gratuites comme <a href=\"http:\/\/www.centrify.com\/express?pid=0014\">Centrify Express<\/a>.<\/p>\n<p>Concernant les applications Web, idem, la m\u00e9thode est relativement standardis\u00e9e, notamment gr\u00e2ce \u00e0 l&#8217;interface\u00a0normalis\u00e9e\u00a0<a href=\"http:\/\/en.wikipedia.org\/wiki\/Generic_Security_Services_Application_Program_Interface\">GSSAPI<\/a>, qui permet de d\u00e9finir une m\u00e9thode d&#8217;authentification bas\u00e9e sur Kerberos au niveau du module d&#8217;authentification de l&#8217;application Web elle-m\u00eame. La m\u00e9thode GSSAPI a notamment \u00e9t\u00e9 normalis\u00e9e pour JAVA, ce qui rend l&#8217;authentification utilisateur des applications JAVA relativement simple \u00e0 impl\u00e9menter et \u00e0 g\u00e9rer avec Kerberos.<\/p>\n<p>Concernant les applications &#8220;lourdes&#8221;, cela se complique un peu&#8230; Les applications propri\u00e9taires, type SAP, n\u00e9cessitent g\u00e9n\u00e9ralement\u00a0<a href=\"http:\/\/www.centrify.com\/directcontrol\/sap.asp\">des modules commerciaux compl\u00e9mentaires<\/a>, les applications &#8220;Open Source&#8221; ne sont pas toujours compatibles, n\u00e9anmoins les bases de donn\u00e9es MySQL et MariaDB sont pleinement compatibles avec une authentification Kerberos int\u00e9gr\u00e9e.<\/p>\n<p>Le param\u00e9trage se r\u00e9alise alors au niveau des modules PAM, vous trouverez [ <a href=\"https:\/\/dev.mysql.com\/doc\/refman\/5.5\/en\/pam-authentication-plugin.html\">ici <\/a>] les explications pour MySQL, et [ <a href=\"https:\/\/kb.askmonty.org\/en\/pam-authentication-plugin\/\">ici <\/a>] les explications pour MariaDB: bonne lecture et bons tests !<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Le protocole Kerberos est certainement le protocole le plus adapt\u00e9 pour g\u00e9rer l&#8217;authentification des utilisateurs sur un r\u00e9seau d&#8217;entreprise. Il est relativement simple d&#8217;ins\u00e9rer les syst\u00e8mes (au sens OS du terme) au sein de royaumes Kerberos (MIT, HEIMDAL ou Active Directory) gr\u00e2ce notamment \u00e0 des suites logicielles gratuites comme Centrify Express.<\/p>\n<p>Concernant les applications Web, idem, la m\u00e9thode est relativement standardis\u00e9e, notamment gr\u00e2ce \u00e0 l&#8217;interface\u00a0normalis\u00e9e\u00a0GSSAPI, qui permet de d\u00e9finir une m\u00e9thode d&#8217;authentification bas\u00e9e sur Kerberos au niveau du module d&#8217;authentification de l&#8217;application Web elle-m\u00eame. La m\u00e9thode GSSAPI a notamment \u00e9t\u00e9 normalis\u00e9e pour JAVA, ce qui rend l&#8217;authentification utilisateur des applications JAVA relativement simple \u00e0 impl\u00e9menter et \u00e0 g\u00e9rer avec Kerberos.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[111,132,143,152,156,211],"class_list":["post-717","post","type-post","status-publish","format-standard","hentry","category-technique","tag-heimdal","tag-kerberos","tag-mariadb","tag-mit","tag-mysql","tag-sap"],"_links":{"self":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts\/717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/comments?post=717"}],"version-history":[{"count":0,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/posts\/717\/revisions"}],"wp:attachment":[{"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/media?parent=717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/categories?post=717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/identitycosmos.com\/index.php\/wp-json\/wp\/v2\/tags?post=717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}