# Sync LDAP JWT Users The Lightweight Directory Access Protocol (LDAP) sync feature of the Operator ensures that LDAP users are synced with SingleStore using the [JSON Web Token (JWT) authentication](https://docs.singlestore.com/db/v9.1/security/authentication/authenticate-via-jwt.md) type. ## Prerequisites * An LDAP server, which is necessary to provide directory services. The community [OpenLDAP](https://www.openldap.org/) Docker container is reflected in these instructions, which can be installed via the following command. ```shell docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.4.0 ``` * A Kubernetes cluster with the application endpoints exposed and services accessible to the LDAP server and Storage classes. * The associated tools are installed and running, including: * [Docker](https://www.docker.com/) * The [SingleStore Tools container](https://hub.docker.com/r/singlestore/tools) for use with the Operator * A [SQL client](https://docs.singlestore.com/db/v9.1/connect-to-singlestore.md), such as the [SingleStore client](https://docs.singlestore.com/db/v9.1/user-and-cluster-administration/cluster-management-with-tools/singlestore-tools-installation/singlestore-client-installation.md) * The `ldap-`utils package * `curl` * `kubectl` ## Check Connectivity 1. Check connectivity to SingleStore. ```shell singlestore -h 172.26.0.2 -u admin -P 3306 -p -e 'SHOWUSERS' ``` ```output +------------+--------+-------------+------------+-----------------------+----------+ | User | Type | Connections | Is deleted | Default resource pool | Is local | +------------+--------+-------------+------------+-----------------------+----------+ | admin'@'%' | Native | 1 | | | SYNC | | 'root'@'&' | Native | 0 | | | LOCAL | +------------+--------+-------------+------------+-----------------------+----------+ ``` 2. Check connectivity to the LDAP server. ```shell ./bin/singlestoredb-toolbox-1.16.0-c63e2fe53f/sdb-admin sync-ldap \ --uris ldap://localhost \ --groups engineers \ --search-base dc=example,dc=or \ --schema open-ldap \ --auth-method JWT \ --show-detail \ --bind-user cn=admin,dc=example,dc=org \ --bind-credentials admin \ --user admin \ --password mypassword \ --host 172.26.0.2 -y ``` ```output ✔ Successfully prepared the sync LDAP users and groups are already synced ``` ## Sync an LDAP User 1. Add a user to the LDAP server. ```shell ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f user.ldif ``` ```output adding new entry "uid-peter,de-example,de=org" ``` ```shell cat user.ldif ``` ```output dn: uid=peter,dc=example,dc=org objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: peter uid: peter uidNumber: 16859 gidNumber: 100 homeDirectory: /home/peter loginShell: /bin/bash gecos: peter userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 ``` 2. Create a new group. ```shell ldapadd -x -H ldap://localhost -D "cn=admin,de=example,dc=org" -w admin -f group.Idif ``` ```output adding new entry "cn=engineers,dc=example,dc=org" ``` ```shell cat group.ldif ``` ```output dn: cn=engineers,dc=example,dc=org objectClass: top objectClass: posixGroup gidNumber: 678 ``` 3. Assign this user to this group. ```shell ldapmodify -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin -f add.ldif ``` ```output modifying entry "cn=engineers,dc=example,dc=org" ``` ```shell cat add.ldif ``` ```output dn: cn=engineers,dc=example,dc=org changetype: modify add: memberuid memberuid: peter ``` 4. Add the LDAP user as a JWT user to SingleStore. ```shell ./bin/singlestoredb-toolbox-1.16.0-c63e2fe53f/sdb-admin sync-ldap \ --uris ldap://localhost \ --groups engineers \ --search-base dc=example,dc=org \ --schema open-ldap \ --auth-method JWT \ --show-detail \ --bind-user cn=admin,dc=example,dc=org \ --bind-credentials admin \ --user admin \ --password mypassword \ --host 172.26.0.2 -y ``` ```output ✔ Successfully prepared the sync Toolbox is about to sync 'engineers' by performing the following actions: • Create the following users: -peter • Create the following groups: - engineers • Grant the following groups to users: - To user 'peter': + engineers + ldap_users_internal_group Would you like to continue?[Y/n]: Automatically selected yes, non-interactive mode enabled Toolbox synced 'engineers' with the following results: • Created 1 user out of 1 • Created 1 group out of 1 • Granted 2 groups out of 2 ``` 5. Confirm that the LDAP user is now reflected as a JWT user in SingleStore. ```shell singlestore -h 172.26.0.2 -u admin -P 3306 -pmypassword -e 'SHOWUSERS' ``` ```output +------------+--------+-------------+------------+-----------------------+----------+ | User | Type | Connections | Is deleted | Default resource pool | Is local | +------------+--------+-------------+------------+-----------------------+----------+ | admin'@'%' | Native | 1 | | | SYNC | | peter'@'%' | JWT | 0 | | | SYNC | | 'root'@'&' | Native | 0 | | | LOCAL | +------------+--------+-------------+------------+-----------------------+----------+ ``` *** Modified at: October 24, 2023 Source: [/db/v9.1/reference/singlestore-operator-reference/sync-ldap-jwt-users/](https://docs.singlestore.com/db/v9.1/reference/singlestore-operator-reference/sync-ldap-jwt-users/) (An index of the documentation is available at /llms.txt)