# Synchronization Rules

During the sync, the LDAP tool runs the following SQL commands under specified conditions.

| SQL Commands                                                                                                              | Conditions                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [CREATE USER](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/create-user.md)   | LDAP groups to sync contain members who are notSingleStoreusers.                                                                                                                                                                                                                                                                                                                                                                                                          |
| [CREATE GROUP](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/create-group.md) | LDAP groups to sync are notSingleStoregroups.                                                                                                                                                                                                                                                                                                                                                                                                                             |
| [DROP USER](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/drop-user.md)       | SingleStorecontains users that have been removed from the LDAP groups listed for syncing.<ul> <li>If the <code>--drop-unmanaged-users</code> option is used, the tool deletes SingleStore users that are not present in LDAP.</li> <li>If the <code>--drop-unmanaged-users</code> option is skipped, the tool deletes only managed SingleStore users (members of the <code>constant.GroupForManagedLDAPUsers</code> group) that are no longer present in LDAP.</li> </ul> |
| [DROP GROUP](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/drop-group.md)     | SingleStorecontains groups that have been deleted from LDAP.                                                                                                                                                                                                                                                                                                                                                                                                              |
| [GRANT GROUP](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/grant-group.md)   | LDAP groups to sync contain members that are not part of the correspondingSingleStoregroups. The tool will add those users to theSingleStoregroups.                                                                                                                                                                                                                                                                                                                       |
| [REVOKE GROUP](https://docs.singlestore.com/db/v9.1/reference/sql-reference/security-management-commands/revoke-group.md) | SingleStoregroups contain members that are no longer part of the corresponding LDAP groups listed for syncing. The tool will remove those users from theSingleStoregroups.                                                                                                                                                                                                                                                                                                |

## Additional Notes

* New SingleStore users and groups that are created during the sync abide by the following rules.

  * New users and groups are created with the LDAP user and group names. The names of the imported users and groups must also be unique.
  * New users can be authenticated via [Kerberos](https://docs.singlestore.com/db/v9.1/security/authentication/kerberos-authentication.md), [PAM](https://docs.singlestore.com/db/v9.1/security/authentication/pam-authentication.md), [SAML](https://docs.singlestore.com/db/v9.1/security/authentication/saml-authentication.md), or JWT, depending on the authentication protocol preconfigured in SingleStore.
  * New users are created with the parameters defined by the `--resource-pool`, `--failed-login-attempts`, and `--password-lock-time` options. Note that the resource pool you specify must already exist in SingleStore.
  * New users will be members of the `ldap_users_internal_group` group. This group must not be modified. **Note**: Members of `ldap_users_internal_group` will be referred to as "managed" users throughout this document.
  * New users are created with the `%` hostname, allowing them to connect to the cluster from any host.
* New SingleStore groups are created with the members of the LDAP groups that are synced. As SingleStore does not support sub-groups of user groups, only one group level is supported. For example, DentalCSR and MedicalCSR are two LDAP user groups. After syncing with SingleStore, members of DentalCSR in LDAP become members of DentalCSR in SingleStore, whereas members of MedicalCSR in LDAP will be added to MedicalCSR in SingleStore. If a user belongs to both LDAP groups, then the user will be part of both SingleStore groups.
* If a SingleStore user that is dropped during a sync also has an active database connection, the user can run commands until the session expires. However, the deleted user cannot establish new database connections.
* If an LDAP user already exists in SingleStore, the tool will sync the LDAP user’s information with SingleStore.
* The tool does not sync a user’s hosts or passwords from LDAP.

***

Modified at: June 22, 2022

Source: [/db/v9.1/user-and-cluster-administration/singlestore-user-management/ldap-user-sync/sync-rules/](https://docs.singlestore.com/db/v9.1/user-and-cluster-administration/singlestore-user-management/ldap-user-sync/sync-rules/)

(An index of the documentation is available at /llms.txt)