Processing LDAP Search Results

On this page

General

The processing of LDAP search results involves obtaining the required user and group information from LDAP and mapping it with SingleStore users and groups. This processing is handled by the "detail" section in the output.

detail: # detail specifies the structure of the user and group ldap entries
  user_object_class: user # --user-object-class user
  group_object_class: group # --group-object-class group
  user_attribute: sAMAccountName # --user-attribute sAMAccountName
  group_attribute: sAMAccountName # --group-attribute sAMAccountName
  user_member_of_attribute: memberOf # --user-member-of-attribute memberOf
  group_members_attribute: member # --group-members-attribute member
  user_principal_name_attribute: userPrincipalName # --user-principal-name-attribute userPrincipalName

Note that only users and groups are taken into account.

Users

Here is a part of a sample LDAP user entry with details on processing the user entry.

# peter pan, Users, memsql.ldap.testing
  dn: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing
  objectClass: user # --user-object-class user is used to distinguish user entries from all the other entries
  memberOf: CN=employees,DC=memsql,DC=ldap,DC=testing # --user-member-of-attribute memberOf is used to map the user to their groups
  sAMAccountName: pan # --user-attribute sAMAccountName is used as a name for the SQL user
  userPrincipalName: pan@memsql.ldap.testing # --user-principal-name-attribute userPrincipalName is used for as SPN for the Kerberos authentication

All the attribute keys may be overridden with their equivalent values (which will result in using the equivalent attributes). For example, cn can be used instead of the sAMAccountName for the SQL username.

Here are some examples of the CREATE USER queries that depend on the described options.

In CREATE USER 'Peter' IDENTIFIED WITH 'authentication_pam' AS 'testing.com',

  • Peter is the value of --user-attribute

  • authentication_pam is selected by --auth-method pam

  • testing.com is the value of --pam-auth-service

In CREATE USER u IDENTIFIED WITH 'authentication_gss' AS 'u@testing.com',

  • u is the value of --user-attribute

  • authentication_gss is selected by --auth-method kerberos

  • u@testing.com is

    • either the value of the attribute selected by --user-principal-name-attribute

    • or u is the --user-attribute value and testing.com is the value of --kerberos-realm, which overrides the first option

Groups

Here is a part of a sample LDAP group entry with details on processing it.

# employees, memsql.ldap.testing
  dn: CN=employees,DC=memsql,DC=ldap,DC=testing
  objectClass: group # --group-object-class group is used to distinguish group entries from all the other entries
  member: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing # --group-members-attribute member is used to map the group to its users
  sAMAccountName: employees # --group-attribute sAMAccountName is used as a name for the SQL group

In CREATE GROUP 'employees', the group name is taken from the --group-attribute value.

Last modified: June 22, 2022

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK