sync-ldap
Description
Sync LDAP users and groups.
Usage
Sync LDAP users and groups. The command 'sdb-admin sync-ldap' syncs LDAP users and groups. LDAP is not modified in any way. This command may be run by either: - Specifying the required flags on the command line (--groups, --uris, --schema, --auth-method, --search-base...) or by - Providing a configuration file with the --config-file flag Below is example of syncing users and groups from Active Directory (AD) using flags on the command line: sdb-admin sync-ldap --uris ldap://52.59.219.12 --groups Medical --search-base dc=memsql,dc=ldap,dc=testing --auth-method kerberos --schema active-directory --bind-user "CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing" --bind-credentials password The following YAML-based configuration file is equivalent to the example above. drop_unmanaged_memsql_users: false groups: - Medical schema: active-directory show_detail: false ldap_client: uris: - ldap://52.59.219.12 start_tls: false ca_paths: [] bind: user: CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing credentials: password search: base: dc=memsql,dc=ldap,dc=testing filter: (&(objectClass=*)) detail: user_object_class: user group_object_class: group user_attribute: sAMAccountName group_attribute: sAMAccountName user_member_of_attribute: memberOf group_members_attribute: member user_principal_name_attribute: userPrincipalName sql_user: resource_pool: "" failed_login_attempts_limit: 0 password_lock_time: 0 auth_method: kerberos pam_auth_service: "" kerberos_realm: "" sql_client: user: root password: null Note that there are a number of additional fields that may be specified in the config file, such as 'ca_paths' and the 'detail' struct. For custom LDAP implementations, use either the 'detail' struct in the config file or the appropriate flags on the command line. The 'detail' struct describes the structure of an LDAP entry. Either the 'schema' field or the --schema flag can be used to define the required details. Note that these details can also be overridden. For example, given an LDAP user entry: # adam, example.org dn: uid=adam,dc=example,dc=org objectClass: posixAccount uid: adam ...and an LDAP group entry: # dbagrp, example.org dn: cn=dbagrp,dc=example,dc=org objectClass: posixGroup cn: dbagrp memberUid: user ...a detail configuration will resemble: ldap_client: search: detail: user_object_class: posixAccount group_object_class: posixGroup user_attribute: uid group_attribute: cn user_member_of_attribute: "" group_members_attribute: memberUid user_principal_name_attribute: "" Currently supported schemas include unspecified, active-directory, open-ldap. You should only override the 'detail' struct if the required schema is unsupported. All users created with this command are members of the group 'ldap_users_internal_group'. Note that this group must not be modified. LDAP bind credentials may be indicated using the 'LDAP_BIND_CREDENTIALS' environment variable. Usage: sdb-admin sync-ldap [flags] Flags: --auth-method {kerberos, pam, saml, jwt} Authentication method for new SingleStore DB users (default unspecified) --bind-credentials string Credentials of the LDAP user --bind-user string The user name DN to log into LDAP (e.g. cn=admin,dc=example,dc=org) --ca-paths FILE_PATHS The path(s) to the TLS root CA file. The default root certificate(s) will be used if no value(s) are provided --config-file FILE_PATH The path to the configuration file (e.g. ../ldap-sync-config.yaml) --drop-unmanaged-memsql-users Drop users created in SingleStore DB but no longer found in LDAP --failed-login-attempts-limit POSITIVE_INTEGER Maximum failed login attempts for new SingleStore DB users --group-attribute string The field name for an LDAP group name (ADVANCED) --group-members-attribute string The field name for an LDAP group's users (ADVANCED) --group-object-class string The objectClass name to match against an LDAP group (ADVANCED) --groups strings User group name(s) to sync, separated by commas. Only the groups listed may be granted or revoked (e.g. Medical,Engineering) -h, --help Help for sync-ldap --kerberos-realm string Service principal name domain for Kerberos (ADVANCED) --pam-auth-service string Service name for PAM --password string SQL password for connecting to SingleStore DB --password-lock-time POSITIVE_INTEGER Failed login lockout time in seconds for new SingleStore DB users --query-filter string LDAP filter to narrow search results --resource-pool string Resource pool name for new SingleStore DB users --saml-user-domain-attribute string The field name for an LDAP user's SAML domain suffix. Only applies to the SAML authentication method (ADVANCED) --schema {unspecified, active-directory, open-ldap} LDAP schema which defines the structure of user and group entries (default unspecified) --search-base string Search base path for the LDAP search object (e.g. dc=example,dc=org) --show-detail Show syncing details on users and groups --start-tls Issue StartTLS (Transport Layer Security) extended operation --uris strings URI(s) of the LDAP server(s), separated by commas (e.g. ldap://172.17.0.2) --user string SQL user for connecting to SingleStore DB (default "root") --user-attribute string The field name for an LDAP username (ADVANCED) --user-member-of-attribute string The field name for an LDAP user's groups (ADVANCED) --user-object-class string The objectClass name to match against an LDAP user (ADVANCED) --user-principal-name-attribute string The field name for an LDAP user's Kerberos/SAML principal name. Only applies to Kerberos and SAML authentication methods (ADVANCED) Global Flags: --backup-cache FILE_PATH File path for the backup cache --cache-file FILE_PATH File path for the Toolbox node cache -c, --config FILE_PATH File path for the Toolbox configuration --disable-colors Disable colored output in console, which some terminal sessions/environments may have issues with --disable-spinner Disable the progress spinner, which some terminal sessions/environments may have issues with -j, --json Enable JSON output --parallelism POSITIVE_INTEGER Maximum number of operations to run in parallel --runtime-dir DIRECTORY_PATH Where to store Toolbox runtime data --ssh-max-sessions POSITIVE_INTEGER Maximum number of SSH sessions to open per host, must be at least 3 --state-file FILE_PATH Toolbox state file path -v, --verbosity count Increase logging verbosity: valid values are 1, 2, 3. Usage -v=count or --verbosity=count -y, --yes Enable non-interactive mode and assume the user would like to move forward with the proposed actions by default
Remarks
--password
is an optional flag that specifies the SingleStore DBroot
password. You can optionally use this flag in conjunction with the--user
flag to specify a SingleStore DB user that is different from theroot
user and the user’s password. Note that theMEMSQL_PASSWORD
environment variable is a safer alternative option for setting the password.Wrap the password string in single quotes (') to avoid having the shell try to interpret any special characters included in the string.
This command is interactive unless you use either
--yes
or--json
flag to override interactive behavior.