Processing LDAP Search Results

General

The processing of LDAP search results involves obtaining the required user and group information from LDAP and mapping it with SingleStoreDB users and groups. This processing is handled by the "detail" section in the output.

detail: # detail specifies the structure of the user and group ldap entries                                                                                         
  user_object_class: user # --user-object-class user                                                                        
  group_object_class: group # --group-object-class group                                                                       
  user_attribute: sAMAccountName # --user-attribute sAMAccountName                                                                  
  group_attribute: sAMAccountName # --group-attribute sAMAccountName                                                                 
  user_member_of_attribute: memberOf # --user-member-of-attribute memberOf                                                              
  group_members_attribute: member # --group-members-attribute member                                                               
  user_principal_name_attribute: userPrincipalName # --user-principal-name-attribute userPrincipalName

Note that only users and groups are taken into account.

Users

Here is a part of a sample LDAP user entry with details on processing the user entry.

# peter pan, Users, memsql.ldap.testing                                                              
  dn: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing                                                                                                                                    
  objectClass: user # --user-object-class user is used to distinguish user entries from all the other entries                                                                                                             
  memberOf: CN=employees,DC=memsql,DC=ldap,DC=testing # --user-member-of-attribute memberOf is used to map the user to their groups                                                                                                   
  sAMAccountName: pan # --user-attribute sAMAccountName is used as a name for the SQL user                                                                                 
  userPrincipalName: pan@memsql.ldap.testing # --user-principal-name-attribute userPrincipalName is used for as SPN for the Kerberos authentication

All the attribute keys may be overridden with their equivalent values (which will result in using the equivalent attributes). For example, cn can be used instead of the sAMAccountName for the SQL username.

Here are some examples of the CREATE USER queries that depend on the described options.

In CREATE USER 'Peter' IDENTIFIED WITH 'authentication_pam' AS 'testing.com',

  • Peter is the value of --user-attribute

  • authentication_pam is selected by --auth-method pam

  • testing.com is the value of --pam-auth-service

In CREATE USER u IDENTIFIED WITH 'authentication_gss' AS 'u@testing.com',

  • u is the value of --user-attribute

  • authentication_gss is selected by --auth-method kerberos

  • u@testing.com is

    • either the value of the attribute selected by --user-principal-name-attribute

    • or u is the --user-attribute value and testing.com is the value of --kerberos-realm, which overrides the first option

Groups

Here is a part of a sample LDAP group entry with details on processing it.

# employees, memsql.ldap.testing                                                                     
  dn: CN=employees,DC=memsql,DC=ldap,DC=testing                                                        
  objectClass: group # --group-object-class group is used to distinguish group entries from all the other entries                                                                                                                                                                        
  member: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing # --group-members-attribute member is used to map the group to its users                                           
  sAMAccountName: employees # --group-attribute sAMAccountName is used as a name for the SQL group

In CREATE GROUP 'employees', the group name is taken from the --group-attribute value.