sync-ldap
On this page
Description
Sync LDAP users and groups.
The --password
flag is optional and specifies the SingleStore root
password.--user
flag to specify a SingleStore user that is different from the root
user and the user’s password.MEMSQL_
environment variable is a safer alternative option for setting the password.
Wrap the password string in single quotes (') to avoid having the shell try to interpret any special characters included in the string.
This command may be run by either:
-
Specifying the required flags on the command line (
--groups
,--uris
,--schema
,--auth-method
,--search-base.
). . -
Providing a configuration file with the
--config-file
flag
Below is example of syncing users and groups from Active Directory (AD) using flags on the command line:
sdb-admin sync-ldap--uris ldap://52.59.219.12--groups Medical--search-base dc=memsql,dc=ldap,dc=testing--auth-method kerberos--schema active-directory--bind-user "CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing"--bind-credentials password--exclude-ldap-users jsmith
The following YAML-based configuration file is equivalent to the example above.
drop_unmanaged_memsql_users: falsegroups:- Medicalexclude_users:- jsmithschema: active-directoryshow_detail: falseldap_client:uris:- ldap://52.59.219.12start_tls: falseca_paths: []bind:user: CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testingcredentials: passwordsearch:base: dc=memsql,dc=ldap,dc=testingfilter: (&(objectClass=*))detail:user_object_class: usergroup_object_class: groupuser_attribute: sAMAccountNamegroup_attribute: sAMAccountNameuser_member_of_attribute: memberOfgroup_members_attribute: memberuser_principal_name_attribute: userPrincipalNamesql_user:resource_pool: ""failed_login_attempts_limit: 0password_lock_time: 0auth_method: kerberospam_auth_service: ""kerberos_realm: ""sql_client:user: rootpassword: null
Note that there are a number of additional fields that may be specified in the config file, such as ca_
and the detail
struct.
For custom LDAP implementations, use either the detail
struct in the config file or the appropriate flags on the command line.detail
struct describes the structure of an LDAP entry.schema
field or the --schema
flag can be used to define the required details.
For example, given an LDAP user entry:
# adam, example.org
dn: uid=adam,dc=example,dc=org
objectClass: posixAccount
uid: adam
.
# dbagrp, example.org
dn: cn=dbagrp,dc=example,dc=org
objectClass: posixGroup
cn: dbagrp
memberUid: user
.
ldap_client:search:filter: (|(objectClass=posixAccount)(objectClass=posixGroup))detail:user_object_class: posixAccountgroup_object_class: posixGroupuser_attribute: uidgroup_attribute: cnuser_member_of_attribute: ""group_members_attribute: memberUiduser_principal_name_attribute: ""
For better readability, the filter criteria can be written over multiple lines, where a new line starts with a left parenthesis and the line break comes after a right parenthesis.
ldap_client:
search:
filter:
(|(objectClass=posixAccount)
(objectClass=posixGroup))
Should you need to sync with several LDAP servers, you can specify all of them in the configuration file.
ldap_client:- uris:- ldap://52.59.219.12start_tls: falsesearch:base: dc=memsql,dc=ldap,dc=testingdetail:user_member_of_attribute: memberOf- uris:- ldap://50.124.12.7start_tls: falsesearch:base: dc=memsql,dc=ldap,dc=testingdetail:user_member_of_attribute: groupmembership
Currently supported schemas include unspecified, active-directory, open-ldap.detail
struct if the required schema is unsupported.
All users created with this command are members of the group ldap_
.
LDAP bind credentials may be indicated using the LDAP_
environment variable.
Groups
As of Toolbox 1.
Parameter |
Type / Values |
Description |
|
String |
Resource pool name for new SingleStore users |
|
Integer |
Maximum failed login attempts for new SingleStore users |
|
Integer |
Failed login lockout time, in seconds, for new SingleStore users |
|
|
Authentication method for new SingleStore users |
|
String |
Service name for PAM |
|
String |
Service principal name domain for Kerberos |
|
|
Enable the |
If a group has at least one parameter specified, and if an LDAP user belongs to this group, the corresponding SQL user is created with the parameters assigned to the group.
If a parameter's value is not explicitly specified, its default value is used.sql_
section of the YAML file are used.
Command Line
sdb-admin sync-ldap \--uris ldap://52.59.219.12 \--groups Medical,Engineering[auth-method=jwt,resource_pool=engineering] \--search-base dc=memsql,dc=ldap,dc=testing \--auth-method kerberos \--schema active-directory \--bind-user "CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testing" \--bind-credentials password \--exclude-ldap-users jsmith
YAML File
drop_unmanaged_memsql_users: falsegroups:- Medical- Enineering:resource_pool: "engineering"auth_method: jwtexclude_users:- jsmithschema: active-directoryshow_detail: falseldap_client:uris:- ldap://52.59.219.12start_tls: falseca_paths: []bind:user: CN=Some User,CN=Users,DC=memsql,DC=ldap,DC=testingcredentials: passwordsearch:base: dc=memsql,dc=ldap,dc=testingfilter: (&(objectClass=*))detail:user_object_class: usergroup_object_class: groupuser_attribute: sAMAccountNamegroup_attribute: sAMAccountNameuser_member_of_attribute: memberOfgroup_members_attribute: memberuser_principal_name_attribute: userPrincipalNamesql_user:resource_pool: ""failed_login_attempts_limit: 0password_lock_time: 0auth_method: kerberospam_auth_service: ""kerberos_realm: ""sql_client:user: rootpassword: null
Behavior when Deleting Database Users
The sdb-admin sync-ldap
command (or, more simply, sync-ldap
) creates a SingleStore database user for every LDAP user added to Active Directory (AD), and assigns the database user to an internal database group to distinguish it from “local” database users (those database users that were not created via sync-ldap
).
The default behavior of sync-ldap
is to delete the matching database users when LDAP users are deleted from AD, but only if the database users were created via sync-ldap
.sync-ldap
.
SHOW USERS FOR GROUP 'your_ldap_database_users_internal_group';
However, if the --drop-unmanaged-memsql-users
flag is included, for those database users that are not present in AD, both the matching database users that were created via sync-ldap
and the matching "local" database users will be deleted.
Usage
Usage:
sdb-admin sync-ldap [flags]
For flags that can accept multiple values (indicated by VALUES after the name of the flag),
separate each value with a comma.
Flags:
--auth-method {kerberos, pam, saml, jwt} Authentication method for new SingleStore users.
This value will be used if a user's group does not have any additional configs specified explicitly for the group with the
--groups option (default unspecified)
--bind-credentials string Credentials of the LDAP user
--bind-user string The user name DN to log into LDAP (e.g. cn=admin,dc=example,dc=org)
--ca-paths FILE_PATHS The path(s) to the TLS root CA file. The default root certificate(s) will be used if no value(s) are provided
--config-file FILE_PATH The path to the configuration file (e.g. ../ldap-sync-config.yaml)
--dial-with-tls-config Dial with TLS config
--drop-unmanaged-memsql-users Drop users created in SingleStore but no longer found in LDAP
--exclude-ldap-users strings LDAP user name(s) to exclude from syncing, separated by commas (e.g. jdoe,jsmith)
--exclude-ldap-users-file FILE_PATH The filename, including path, that contains the LDAP usernames to exclude from syncing, one per line (e.g. ../exclude-ldap-users.txt)
--exclude-ldap-users-to-lower strings LDAP username(s) to exclude from syncing to lowercase, separated by commas (e.g. JDoe,JSmith)
--failed-login-attempts-limit POSITIVE_INTEGER Maximum failed login attempts for new SingleStore users.
This value will be used if a user's group does not have any additional configs specified explicitly for the group with the --groups option
--group-attribute string The field name for an LDAP group name (ADVANCED)
--group-members-attribute string The field name for an LDAP group's users (ADVANCED)
--group-object-class string The objectClass name to match against an LDAP group (ADVANCED)
--groups strings User group name(s) to sync, separated by commas. Only the groups listed may be granted or revoked (e.g. Medical,Engineering)
--groups GROUPS User group name(s) to sync, separated by commas. Additional config options (e.g., resource-pool, auth-method) can be provided in square brackets.
(e.g. Medical[resource-pool=high-performance,auth-method=PAM],Engineering)
-h, --help Help for sync-ldap
--host string The cluster-addressable hostname for the node
--insecure-skip-verify Disable TLS certificate verification (may be used with self-signed certificates for testing purposes)
--kerberos-realm string Service principal name domain for Kerberos (ADVANCED)
--ldap-users-to-lower Sync LDAP usernames to lowercase SQL usernames
--pam-auth-service string Service name for PAM. This value will be used if a user's group does not have additional configs specified explicitly for
the group with the --groups option
--password string SQL password for connecting to SingleStore
--password-lock-time POSITIVE_INTEGER Failed login lockout time in seconds for new SingleStore users.
This value will be used if a user's group does not have any additional configs specified explicitly for the group with the --groups option
--port PORT The cluster-addressable port for the node
--query-filter string LDAP filter to narrow search results
--require-ssl REQUIRE SSL Enable the REQUIRE SSL for the synced users.
This value will be used if a user's group does not have any additional configs specified explicitly for the group with the --groups option
--resource-pool string Resource pool name for new SingleStore users.
This value will be used if a user's group does not have any additional configs specified explicitly for the group with the --groups option
--saml-user-domain-attribute string The field name for an LDAP user's SAML domain suffix. Only applies to the SAML authentication method (ADVANCED)
--schema {unspecified, active-directory, open-ldap} LDAP schema which defines the structure of user and group entries (default unspecified)
--search-base string Search base path for the LDAP search object (e.g. dc=example,dc=org)
--show-detail Show syncing details on users and groups
--ssl Allow the SQL user to connect to SingleStore via SSL
--ssl-ca FILE_PATH The path to the CA file to use when the SQL user connects to SingleStore via SSL. If this option is not specified, the default CA file will be used
--start-tls Issue StartTLS (Transport Layer Security) extended operation
--uris strings URI(s) of the LDAP server(s), separated by commas (e.g. ldap://172.17.0.2)
--user string SQL user for connecting to SingleStore (default "root")
--user-attribute string The field name for an LDAP username (ADVANCED)
--user-member-of-attribute string The field name for an LDAP user's groups (ADVANCED)
--user-object-class string The objectClass name to match against an LDAP user (ADVANCED)
--user-principal-name-attribute string The field name for an LDAP user's Kerberos/SAML principal name. Only applies to Kerberos and SAML authentication methods (ADVANCED)
Global Flags:
--backup-cache FILE_PATH File path for the backup cache
--cache-file FILE_PATH File path for the Toolbox node cache
-c, --config FILE_PATH File path for the Toolbox configuration
--disable-colors Disable color output in console, which some terminal sessions/environments may have difficulty with
--disable-spinner Disable the progress spinner, which some terminal sessions/environments may have issues with
-j, --json Enable JSON output
--parallelism POSITIVE_INTEGER Maximum number of operations to run in parallel
--runtime-dir DIRECTORY_PATH Where to store Toolbox runtime data
--ssh-control-persist SECONDS Enable SSH ControlPersist and set it to the specified duration in seconds
--ssh-max-sessions POSITIVE_INTEGER Maximum number of SSH sessions to open per host, must be at least 3
--ssh-strict-host-key-checking Enable strict host key checking for SSH connections
--ssh-user-known-hosts-file FILE_PATH Path to the user known_hosts file for SSH connections. If not set, /dev/null will be used
--state-file FILE_PATH Toolbox state file path
-v, --verbosity count Increase logging verbosity: valid values are 1, 2, 3. Usage -v=count or --verbosity=count
-y, --yes Enable non-interactive mode and assume the user would like to move forward with the proposed actions by default
--config-file option
The --config-file option is an alternative to the command line arguments approach providing configuration for the sdb-admin sync-ldap
command.
If you run the sdb-admin sync-ldap --config-file path/to/config
command, you should provide a valid configuration file in your YAML.
drop_unmanaged_memsql_users: true|false // Drop users created in SingleStore but no longer found in LDAP, by default is false
groups: <list of strings> // User group name(s) to sync. Only the groups listed may be granted or revoked
exclude_users: <list of strings> // DAP user name(s) to exclude from syncing
schema: unspecified|active-directory|open-ldap // LDAP schema which defines the structure of user and group entries
show_detail: true|false // Show syncing details on users and groups
ldap_users_to_lower: true|false // Sync LDAP usernames to lowercase SQL usernames
exclude_ldap_users_to_lower: <list of strings> // LDAP user name(s) to exclude from syncing to lowercase
ldap_client: // one or several configurations for LDAP client
uris: <list of strings> // URI(s) of the LDAP server(s)
start_tls: true|false // Issue StartTLS (Transport Layer Security) extended operation
ca_paths: <list of pathes> // The path(s) to the TLS root CA file. The default root certificate(s) will be used if no value(s) are provided
dial_with_tls_config: true|false // Dial with TLS config
insecure_skip_verify: true|false // Disable TLS certificate verification (may be used with self-signed certificates for testing purposes)
user: <string> // The user name DN to log into LDAP
credentials: <string> // Credentials of the LDAP user
base: <string> // Search base path for the LDAP search object. For example: dc=example,dc=org
filter: <string> // LDAP filter to narrow search results
detail: // defines LDAP search details which may be defaulted if an LDAP schema is used
user_object_class: <string> // The objectClass name to match against an LDAP user
group_object_class: <string> // The objectClass name to match against an LDAP group
user_attribute: <string> // The field name for an LDAP username
group_attribute: <string> // The field name for an LDAP group name
user_member_of_attribute: <string> // The field name for an LDAP user's groups
group_members_attribute: <string> // The field name for an LDAP group's users
user_principal_name_attribute: <string> // The field name for an LDAP user's Kerberos/SAML principal name. Only applies to Kerberos and SAML authentication methods
saml_user_domain_attribute: <string> // The field name for an LDAP user's SAML domain suffix. Only applies to the SAML authentication method
sql_user: // New SQL users configuration
resource_pool: <string> // Resource pool name for new SingleStore users
failed_login_attempts_limit: <integer> // Maximum failed login attempts for new SingleStore users
password_lock_time: <integer> // Failed login lockout time in seconds for new SingleStore users
auth_method: kerberos|pam|saml|jwt // Authentication method for new SingleStore users
pam_auth_service: <string> // Service name for PAM
kerberos_realm: <string> // Service principal name domain for Kerberos
require_ssl: true|false // Enable the `REQUIRE SSL` for the synced users
sql_client: // Configuration for the connection to SingleStore
user: <string> // SQL user for connecting to SingleStore
password: <string> // SQL password for connecting to SingleStore
host: <string> // The cluster-addressable hostname for the node
port: <integer> // The cluster-addressable port for the node
ssl: true|false // Allow the SQL user to connect to SingleStore via SSL
ssl_ca_file: <path to CA file> // The path to the CA file to use when the SQL user connects to SingleStore via SSL. If this option is not specified, the default CA file will be used
insecure_ssl: true|false // Disable SSL certificate verification. May be used with self-signed certificates for testing purposes
Remarks
This command is interactive unless you use either --yes
or --json
flag to override interactive behavior.
Last modified: October 4, 2024