Synchronization Rules

Additional Notes

• New SingleStoreDB users and groups that are created during the sync abide by the following rules.

  • New users and groups are created with the LDAP user and group names. The names of the imported users and groups must also be unique.

  • New users can be authenticated via Kerberos, PAM, SAML, or JWT, depending on the authentication protocol preconfigured in SingleStoreDB.

  • New users are created with the parameters defined by the --resource-pool, --failed-login-attempts, and --password-lock-time options. Note that the resource pool you specify must already exist in SingleStoreDB.

  • New users will be members of the ldap_users_internal_group group. This group must not be modified. Note: Members of ldap_users_internal_group will be referred to as "managed" users throughout this document.

  • New users are created with the % hostname, allowing them to connect to the cluster from any host.

• New SingleStoreDB groups are created with the members of the LDAP groups that are synced. As SingleStoreDB does not support sub-groups of user groups, only one group level is supported. For example, DentalCSR and MedicalCSR are two LDAP user groups. After syncing with SingleStoreDB, members of DentalCSR in LDAP become members of DentalCSR in SingleStoreDB, whereas members of MedicalCSR in LDAP will be added to MedicalCSR in SingleStoreDB. If a user belongs to both LDAP groups, then the user will be part of both SingleStoreDB groups.

• If a SingleStoreDB user that is dropped during a sync also has an active database connection, the user can run commands until the session expires. However, the deleted user cannot establish new database connections.

• If an LDAP user already exists in SingleStoreDB, the tool will sync the LDAP user’s information with SingleStoreDB.

• The tool does not sync a user’s hosts or passwords from LDAP.