Using the LDAP Tool
On this page
To periodically sync LDAP directory users and groups with SingleStore, run the LDAP tool using common Linux scheduling tools, such as by creating a cron job.sdb-admin sync-ldap on the Linux command line by specifying the required options or using a YAML configuration file.
Prerequisites
The SingleStore user who runs this tool must be authorized to obtain user and group information from the LDAP directory server.
- 
        A user can connect to the cluster using the userandpasswordparameters.
- 
        If a user or password is not specified, Toolbox assumes the database "root" user and uses a secure, hashed password. If a non-root user is specified and a password is not set, Toolbox prompts for a password; an error is thrown if using the LDAP tool in non-interactive mode. 
- 
        To keep your SingleStore user password secure, set the MEMSQL_environment variable in the Linux shell.PASSWORD 
Required Configuration Parameters
If you choose to run the sdb-admin sync-ldap command manually without a configuration file, you must specify the following command-line options.
--auth-method - Authentication method to authenticate new SingleStore users that are created from the LDAP sync.--kerberos-realm must only be used with the Kerberos authentication method, whereas --saml-user-domain-attribute only applies to SAML authentication.
--bind-credentials string - Credentials of the LDAP bind user to authenticate.LDAP_ environment variable in the Linux shell.
--bind-user string - DN/username of the LDAP bind user to authenticate.cn=admin,dc=example,dc=org.
--groups string - User group(s) names to sync.Medical,Engineering.
--schema - LDAP Schema that specifies the structure of user and group entries.active-directory, open-ldap, and unspecified.
--search-base string - LDAP Base DN that specifies the base of the subtree in which the search is to be constrained for a search object.dc=example,dc=org.
--uris string - URI(s) of the LDAP directory server(s).ldap://172..
In addition to the options listed above, the sdb-admin sync-ldap command supports several optional flags.
Using YAML Configuration File
As an alternative to specifying options on the command-line, you can use a YAML configuration file and pass it to the sdb-admin sync-ldap command using the --config-file option.ldap_, bind).
drop_unmanaged_memsql_users: true # --drop-unmanaged-memsql-usersgroups:- Medical # --groups Medicalschema: active-directory # --schema active-directoryshow_detail: true # --show-detailldap_client: # ldap_client is the config of the LDAP clienturis:- ldap://52.59.219.12 # --uris ldap://52.59.219.12start_tls: true # --start-tlsca_paths: ["../ldap-sync-config.yaml"] # --ca-paths "../ldap-sync-config.yaml"bind: # bind specifies how to bind to the LDAP serveruser: CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing # --bind-user "CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing"credentials: password # --bind-credentials passwordsearch: # search specifies the ldapsearch detailsbase: dc=memsql,dc=ldap,dc=testing # --search-base "dc=memsql,dc=ldap,dc=testing"filter: (&(objectClass=*)) # --query-filter "(&(objectClass=*))"detail: # detail specifies the structure of the user and group ldap entriesuser_object_class: user # --user-object-class usergroup_object_class: group # --group-object-class groupuser_attribute: sAMAccountName # --user-attribute sAMAccountNamegroup_attribute: sAMAccountName # --group-attribute sAMAccountNameuser_member_of_attribute: memberOf # --user-member-of-attribute memberOfgroup_members_attribute: member # --group-members-attribute memberuser_principal_name_attribute: userPrincipalName # --user-principal-name-attribute userPrincipalNamesql_user: # sql_user specifies how new SQL users are createdresource_pool: "pool" # --resource-pool poolfailed_login_attempts_limit: 1 # --failed-login-attempts-limit 1password_lock_time: 10 # --password-lock-time 10auth_method: kerberos # --auth-method kerberospam_auth_service: "" # --pam-auth-service ""kerberos_realm: "example.org" # --kerberos-realm "example.org"sql_client: # sql_client specifies user and password to the SQL user which runs SQL commandsuser: rootpassword: null
Example 1
The following example covers all of the required options for the sdb-admin sync-ldap command.
sdb-admin sync-ldap--uris ldap://52.59.219.12--groups Medical--search-base dc=memsql,dc=ldap,dc=testing--auth-method kerberos--schema active-directory--bind-user "CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing"--bind-credentials password
The following YAML-based configuration file is equivalent to the example with mandatory command-line options.
drop_unmanaged_memsql_users: falsegroups:- Medicalschema: active-directoryshow_detail: falseldap_client:uris:- ldap://52.59.219.12start_tls: falseca_paths: []bind:user: CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testingcredentials: passwordsearch:base: dc=memsql,dc=ldap,dc=testingfilter: (&(objectClass=*))detail:user_object_class: usergroup_object_class: groupuser_attribute: sAMAccountNamegroup_attribute: sAMAccountNameuser_member_of_attribute: memberOfgroup_members_attribute: memberuser_principal_name_attribute: userPrincipalNamesql_user:resource_pool: ""failed_login_attempts_limit: 0password_lock_time: 0auth_method: kerberospam_auth_service: ""kerberos_realm: ""sql_client:user: rootpassword: null
Note the use of the additional fields that may also be specified in the configuration file, such as ca_ and the detail struct.
For custom LDAP implementations, use either the detail struct in the config file or the appropriate options on the command line.detail struct describes the structure of an LDAP entry.schema field or the --schema option can be used to define the required details.detail struct if the required schema is unsupported.
For example, given an LDAP user entry:
# adam, example.org
dn: uid=adam,dc=example,dc=org
objectClass: posixAccount
uid: adam.
# dbagrp, example.org
dn: cn=dbagrp,dc=example,dc=org
objectClass: posixGroup
cn: dbagrp
memberUid: user.
ldap_client:
  search:
    detail:
      user_object_class: posixAccount
      group_object_class: posixGroup
      user_attribute: uid
      group_attribute: cn
      user_member_of_attribute: ""
      group_members_attribute: memberUid
      user_principal_name_attribute: ""Example 2
You can configure a cron job to sync Active Directory (AD) users and groups with SingleStore every 5 minutes.cron job would resemble the following.
sdb-admin sync-users--ldap-uri "ldap://www.Company1.com:389"--ldap-search-base "ou=Engineers,dc=Company1,dc=com"--ldap-bind-method "Simple"--ldap-bind-user john.smith--ldap-bind-credentials "qkwhe123jk23jhe"--ldap-result-attribute "samAccountName"--ldap-user-groups "DentalCSR,MedicalCSR"--ldap-start-tls--ldap-version 3--failed-login-attempts 3--password-lock-time 300--authentication-method "PAM"--authentication-service "pam_serice"--user "root"--password <password>
In the above example, users and groups in the DentalCSR and MedicalCSR AD user groups are synced from the LDAP server, which is identified by the LDAP server connection string (specified by --ldap-uri).samAccountName field (For more information, refer to Processing LDAP Search Results).
CREATE USER user@%IDENTIFIED WITH authentication_pam AS 'pam_service'WITH FAILED_LOGIN_ATTEMPTS = 3 PASSWORD_LOCK_TIME = 300;
Last modified: April 26, 2023