Processing LDAP Search Results
On this page
General
The processing of LDAP search results involves obtaining the required user and group information from LDAP and mapping it with SingleStoreDB users and groups.
detail: # detail specifies the structure of the user and group ldap entriesuser_object_class: user # --user-object-class usergroup_object_class: group # --group-object-class groupuser_attribute: sAMAccountName # --user-attribute sAMAccountNamegroup_attribute: sAMAccountName # --group-attribute sAMAccountNameuser_member_of_attribute: memberOf # --user-member-of-attribute memberOfgroup_members_attribute: member # --group-members-attribute memberuser_principal_name_attribute: userPrincipalName # --user-principal-name-attribute userPrincipalName
Note that only users and groups are taken into account.
Users
Here is a part of a sample LDAP user entry with details on processing the user entry.
# peter pan, Users, memsql.ldap.testingdn: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testingobjectClass: user # --user-object-class user is used to distinguish user entries from all the other entriesmemberOf: CN=employees,DC=memsql,DC=ldap,DC=testing # --user-member-of-attribute memberOf is used to map the user to their groupssAMAccountName: pan # --user-attribute sAMAccountName is used as a name for the SQL useruserPrincipalName: pan@memsql.ldap.testing # --user-principal-name-attribute userPrincipalName is used for as SPN for the Kerberos authentication
All the attribute keys may be overridden with their equivalent values (which will result in using the equivalent attributes).cn
can be used instead of the sAMAccountName
for the SQL username.
Here are some examples of the CREATE USER
queries that depend on the described options.
In CREATE USER 'Peter' IDENTIFIED WITH 'authentication_
,
-
Peter
is the value of--user-attribute
-
authentication_
is selected bypam --auth-method pam
-
testing.
is the value ofcom --pam-auth-service
In CREATE USER u IDENTIFIED WITH 'authentication_
,
-
u
is the value of--user-attribute
-
authentication_
is selected bygss --auth-method kerberos
-
u@testing.
iscom -
either the value of the attribute selected by
--user-principal-name-attribute
-
or
u
is the--user-attribute
value andtesting.
is the value ofcom --kerberos-realm
, which overrides the first option
-
Groups
Here is a part of a sample LDAP group entry with details on processing it.
# employees, memsql.ldap.testingdn: CN=employees,DC=memsql,DC=ldap,DC=testingobjectClass: group # --group-object-class group is used to distinguish group entries from all the other entriesmember: CN=peter pan,CN=Users,DC=memsql,DC=ldap,DC=testing # --group-members-attribute member is used to map the group to its userssAMAccountName: employees # --group-attribute sAMAccountName is used as a name for the SQL group
In CREATE GROUP 'employees'
, the group name is taken from the --group-attribute
value.
Last modified: June 22, 2022