Sign inTry Free

Processing LDAP Search Results

On this page

General

The processing of LDAP search results involves obtaining the required user and group information from LDAP and mapping it with SingleStore users and groups. This processing is handled by the "detail" section in the output.

detail: # detail specifies the structure of the user and group ldap entries                                                                                         
  user_object_class: user # --user-object-class user                                                                        
  group_object_class: group # --group-object-class group                                                                       
  user_attribute: sAMAccountName # --user-attribute sAMAccountName                                                                  
  group_attribute: sAMAccountName # --group-attribute sAMAccountName                                                                 
  user_member_of_attribute: memberOf # --user-member-of-attribute memberOf                                                              
  group_members_attribute: member # --group-members-attribute member                                                               
  user_principal_name_attribute: userPrincipalName # --user-principal-name-attribute userPrincipalName

Note that only users and groups are taken into account.

Users

Here is a part of a sample LDAP user entry with details on processing the user entry.

# peter pan, Users, memsql.ldap.testing                                                              
  dn: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing                                                                                                                                    
  objectClass: user # --user-object-class user is used to distinguish user entries from all the other entries                                                                                                             
  memberOf: CN=employees,DC=memsql,DC=ldap,DC=testing # --user-member-of-attribute memberOf is used to map the user to their groups                                                                                                   
  sAMAccountName: pan # --user-attribute sAMAccountName is used as a name for the SQL user                                                                                 
  userPrincipalName: pan@memsql.ldap.testing # --user-principal-name-attribute userPrincipalName is used for as SPN for the Kerberos authentication

All the attribute keys may be overridden with their equivalent values (which will result in using the equivalent attributes). For example, cn can be used instead of the sAMAccountName for the SQL username.

Here are some examples of the CREATE USER queries that depend on the described options.

In CREATE USER 'Peter' IDENTIFIED WITH 'authentication_pam' AS 'testing.com',

  • Peter is the value of --user-attribute

  • authentication_pam is selected by --auth-method pam

  • testing.com is the value of --pam-auth-service

In CREATE USER u IDENTIFIED WITH 'authentication_gss' AS 'u@testing.com',

  • u is the value of --user-attribute

  • authentication_gss is selected by --auth-method kerberos

  • u@testing.com is

    • either the value of the attribute selected by --user-principal-name-attribute

    • or u is the --user-attribute value and testing.com is the value of --kerberos-realm, which overrides the first option

Groups

Here is a part of a sample LDAP group entry with details on processing it.

# employees, memsql.ldap.testing                                                                     
  dn: CN=employees,DC=memsql,DC=ldap,DC=testing                                                        
  objectClass: group # --group-object-class group is used to distinguish group entries from all the other entries                                                                                                                                                                        
  member: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing # --group-members-attribute member is used to map the group to its users                                           
  sAMAccountName: employees # --group-attribute sAMAccountName is used as a name for the SQL group

In CREATE GROUP 'employees', the group name is taken from the --group-attribute value.

Last modified: June 22, 2022

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK