Sign inTry Free

Sync LDAP JWT Users

On this page

The Lightweight Directory Access Protocol (LDAP) sync feature of the Operator ensures that LDAP users are synced with SingleStore using the JSON Web Token (JWT) authentication type.

Prerequisites

  • An LDAP server, which is necessary to provide directory services. The community OpenLDAP Docker container is reflected in these instructions, which can be installed via the following command.

    docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.4.0

  • A Kubernetes cluster with the application endpoints exposed and services accessible to the LDAP server and Storage classes.

  • The associated tools are installed and running, including:

Check Connectivity

  1. Check connectivity to SingleStore.

    singlestore -h 172.26.0.2 -u admin -P 3306 -p<password> -e 'SHOWUSERS'
    +------------+--------+-------------+------------+-----------------------+----------+
| User       | Type   | Connections | Is deleted | Default resource pool | Is local |
+------------+--------+-------------+------------+-----------------------+----------+
| admin'@'%' | Native |           1 |            |                       | SYNC     |
| 'root'@'&' | Native |           0 |            |                       | LOCAL    |
+------------+--------+-------------+------------+-----------------------+----------+

  2. Check connectivity to the LDAP server.

    ./bin/singlestoredb-toolbox-1.16.0-c63e2fe53f/sdb-admin sync-ldap \ 
    --uris ldap://localhost \
    --groups engineers \
    --search-base dc=example,dc=or \
    --schema open-ldap \ 
    --auth-method JWT \ 
    --show-detail \
    --bind-user cn=admin,dc=example,dc=org \ 
    --bind-credentials admin \
    --user admin \
    --password mypassword \
    --host 172.26.0.2  -y
    ✔ Successfully prepared the sync
LDAP users and groups are already synced

Sync an LDAP User

  1. Add a user to the LDAP server.

    ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f user.ldif
    adding new entry "uid-peter,de-example,de=org"
    cat user.ldif
    dn: uid=peter,dc=example,dc=org
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: peter
uid: peter
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/peter
loginShell: /bin/bash
gecos: peter
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

  2. Create a new group.

    ldapadd -x -H ldap://localhost -D "cn=admin,de=example,dc=org" -w admin -f group.Idif
    adding new entry "cn=engineers,dc=example,dc=org"
    cat group.ldif
    dn: cn=engineers,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678

  3. Assign this user to this group.

    ldapmodify -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f add.ldif
    modifying entry "cn=engineers,dc=example,dc=org"
    cat add.ldif
    dn: cn=engineers,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: peter

  4. Add the LDAP user as a JWT user to SingleStore.

    ./bin/singlestoredb-toolbox-1.16.0-c63e2fe53f/sdb-admin sync-ldap \
    --uris ldap://localhost \
    --groups engineers \
    --search-base dc=example,dc=org \
    --schema open-ldap \
    --auth-method JWT \
    --show-detail \
    --bind-user cn=admin,dc=example,dc=org \
    --bind-credentials admin \
    --user admin \
    --password mypassword \
    --host 172.26.0.2  -y
    ✔ Successfully prepared the sync
Toolbox is about to sync 'engineers' by performing the following actions:
• Create the following users:
  -peter
• Create the following groups:
  - engineers
• Grant the following groups to users:
  - To user 'peter':
    + engineers
    + ldap_users_internal_group

Would you like to continue?[Y/n]:
Automatically selected yes, non-interactive mode enabled

Toolbox synced 'engineers' with the following results:
• Created 1 user out of 1
• Created 1 group out of 1
• Granted 2 groups out of 2

  5. Confirm that the LDAP user is now reflected as a JWT user in SingleStore.

    singlestore -h 172.26.0.2 -u admin -P 3306 -pmypassword -e 'SHOWUSERS'
    +------------+--------+-------------+------------+-----------------------+----------+
| User       | Type   | Connections | Is deleted | Default resource pool | Is local |
+------------+--------+-------------+------------+-----------------------+----------+
| admin'@'%' | Native |           1 |            |                       | SYNC     |
| peter'@'%' | JWT    |           0 |            |                       | SYNC     |
| 'root'@'&' | Native |           0 |            |                       | LOCAL    |
+------------+--------+-------------+------------+-----------------------+----------+

Last modified: October 24, 2023

Was this article helpful?

On this page

Was this article helpful?