LDAP automatic user provisioning #20033
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
souravcrl
reviewed
Aug 1, 2025
|
|
||
| - Users are created automatically upon successful LDAP authentication. | ||
| - All auto-provisioned users receive a `PROVISIONSRC` role option set to `ldap:<ldap_server>`. | ||
| - The `estimated_last_login_time` is tracked for auditing purposes. |
There was a problem hiding this comment.
The estimated_last_login_time is tracked for all users now, so not sure if we should additionally mention that the new audit is available in security overview here: https://www.cockroachlabs.com/docs/stable/security-reference/security-overview or as an aside for authorization best practices: https://www.cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices. The security overview can also include provisioning I feel because we plan to support JWT based provisioning also from 25.4 onwards. cc: @biplav-crl @pritesh-lahoti
souravcrl
reviewed
Aug 1, 2025
| SELECT * FROM [SHOW USERS] AS u | ||
| WHERE NOT EXISTS ( | ||
| SELECT 1 FROM unnest(u.options) AS opt | ||
| WHERE opt LIKE 'PROVISIONSRC=ldap:%' |
There was a problem hiding this comment.
Should we also include a filtering via the estimated_last_login_time option. The column was primarily added to be able to support deletion queries for dormant users and would be helpful to add to the auditing/deletion the statement clause
souravcrl
approved these changes
Aug 1, 2025
taroface
reviewed
Aug 1, 2025
| @@ -12,6 +12,10 @@ Release Date: July 23, 2025 | |||
| [#150366][#150366] | |||
| - The session setting `optimizer_min_row_count`, which sets a lower bound on row count estimates for relational expressions during query planning, is now set to `1` by default. | |||
| [#150376][#150376] | |||
| - The `options` column in the output of `SHOW ROLES` and `SHOW USERS` commands is now returned as an array of strings (for example `{NOLOGIN,CREATEDB}`) rather than as a single comma-separated string. This change enables more efficient querying of role options using array functions like `unnest()`. For example: `SELECT * FROM [SHOW ROLES] AS r WHERE EXISTS (SELECT 1 FROM unnest(r.options) AS m(option) WHERE option LIKE 'SUBJECT=cn%');` | |||
There was a problem hiding this comment.
Suggested change
| - The `options` column in the output of `SHOW ROLES` and `SHOW USERS` commands is now returned as an array of strings (for example `{NOLOGIN,CREATEDB}`) rather than as a single comma-separated string. This change enables more efficient querying of role options using array functions like `unnest()`. For example: `SELECT * FROM [SHOW ROLES] AS r WHERE EXISTS (SELECT 1 FROM unnest(r.options) AS m(option) WHERE option LIKE 'SUBJECT=cn%');` | |
| - The `options` column in the output of `SHOW ROLES` and `SHOW USERS` is now returned as an array of strings (e.g., `{NOLOGIN,CREATEDB}`) rather than as a single comma-separated string. This enables more efficient querying of role options using array functions like `unnest()`. For example: `SELECT * FROM [SHOW ROLES] AS r WHERE EXISTS (SELECT 1 FROM unnest(r.options) AS m(option) WHERE option LIKE 'SUBJECT=cn%');` |
| {{site.data.alerts.callout_info}} | ||
| {% include feature-phases/preview.md %} | ||
| {{site.data.alerts.end}} | ||
|
|
||
| CockroachDB supports authentication and authorization using LDAP-compatible directory services, such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control. |
There was a problem hiding this comment.
Might be useful to spell out "Lightweight Directory Access Protocol" and link https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol in the intro, unless you feel everyone knows it already.
| @@ -21,12 +25,16 @@ While LDAP configuration is cluster-specific, each request to authenticate a use | |||
| - If a matching record was found, the cluster attempts to verify the user's identity through another LDAP request, this time using the credentials (username and password) provided by that user. | |||
| - If this LDAP bind operation succeeds, the user is authenticated to the CockroachDB cluster. | |||
| 1. Authorize the user (optional) | |||
| - If [LDAP authorization]({% link v24.3/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria. | |||
| - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria. | |||
There was a problem hiding this comment.
Is this right?
Suggested change
| - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria. | |
| - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, the cluster sends an additional request to retrieve the groups to which the user is assigned, using configurable criteria. |
| @@ -96,15 +104,14 @@ SET CLUSTER SETTING server.ldap_authentication.client.tls_key = '<PEM_ENCODED_KE | |||
|
|
|||
| ### Step 4: Sync database users | |||
|
|
|||
| Before LDAP authentication can be used for a user, the username must be created directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed. | |||
There was a problem hiding this comment.
Suggested change
| Before LDAP authentication can be used for a user, the username must be created directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed. | |
| Before LDAP authentication can be enabled for a user, you must create the username directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed. |
| Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections. | ||
|
|
||
| {{site.data.alerts.callout_info}} | ||
| LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability. |
There was a problem hiding this comment.
Suggested change
| LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability. | |
| LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). You must manage credentials for `root` separately using password authentication to ensure continuous administrative access regardless of LDAP availability. |
|
|
||
| When enabled: | ||
| If LDAP authorization is enabled: |
There was a problem hiding this comment.
Elsewhere LDAP Authorization is capitalized. We should be consistent.
|
|
||
| 1. When a client connects to the cluster using LDAP, the cluster looks up the user's group membership in the LDAP service. | ||
| 1. Each LDAP group is mapped to a cluster role using the group's Common Name (CN) in the LDAP service. | ||
| 1. The user is granted each corresponding role, and roles that no longer match the user's groups are revoked. | ||
| 1. {% include_cached new-in.html version="v25.3" %}In conjunction with [automatic user provisioning]({% link {{ page.version.version }}/ldap-authentication.md %}#option-1-automatic-user-provisioning-recommended) if enabled, users are created automatically during their first authentication and simultaneously receive specified role memberships. |
There was a problem hiding this comment.
Suggested change
| 1. {% include_cached new-in.html version="v25.3" %}In conjunction with [automatic user provisioning]({% link {{ page.version.version }}/ldap-authentication.md %}#option-1-automatic-user-provisioning-recommended) if enabled, users are created automatically during their first authentication and simultaneously receive specified role memberships. | |
| 1. {% include_cached new-in.html version="v25.3" %} In conjunction with [automatic user provisioning]({% link {{ page.version.version }}/ldap-authentication.md %}#option-1-automatic-user-provisioning-recommended) if enabled, users are created automatically during their first authentication and simultaneously receive specified role memberships. |
| If automatic user provisioning is enabled, users will be created automatically during their first login. | ||
|
|
||
| 1. Log in to CockroachDB as each test user (refer to [Connect to a cluster using LDAP]({% link {{ page.version.version }}/ldap-authentication.md %}#connect-to-a-cluster-using-ldap)). | ||
| 1. Using your admin credentials, log in to the CockroachDB SQL shell and run `SHOW USERS;` to view and verify users and their role assignments. |
There was a problem hiding this comment.
Suggested change
| 1. Using your admin credentials, log in to the CockroachDB SQL shell and run `SHOW USERS;` to view and verify users and their role assignments. | |
| 1. Using your `admin` credentials, log in to the CockroachDB SQL shell and run `SHOW USERS;` to view and verify users and their role assignments. |
| @@ -4,15 +4,19 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c | |||
| toc: true | |||
There was a problem hiding this comment.
A few comments I had on v25.2 should also apply here.
| @@ -4,9 +4,13 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c | |||
| toc: true | |||
There was a problem hiding this comment.
This page is broken on preview. Not sure why but often has to do with a misformatted tag:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DOC-11247
Documents the new LDAP automatic user provisioning feature in CockroachDB v25.3 and updates command reference pages to reflect changes to
SHOW USERS/ROLESoutput format.Key features documented
server.provisioning.ldap.enabledcluster settingPROVISIONSRCrole option format:ldap:<server>PROVISIONSRCrole option)CREATE/SHOW USER/ROLEoutput: newestimated_last_login_timetracking column, options output now as array:NOLOGIN, FOO→{NOLOGIN,FOO}Preview
Changes made
LDAP Documentation
v25.3/ldap-authentication.md:
server.provisioning.ldap.enabledsettingPROVISIONSRCv25.3/ldap-authorization.md:
v25.2 LDAP pages:
Release notes
Command Reference Updates
Updated 21 example SHOW/CREATE USER/ROLE output tables across 6 files to use new array format for
optionscolumn and addestimated_last_login_timecolumn.TODOs
Security Overview or [Authorization Best Practices](https://www.
cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices),
and later expanding provisioning coverage further for future JWT support in v25.4
estimated_last_login_timefiltering for identifying dormant users inthe cleanup/auditing section, since this column was primarily added to support deletion
queries for inactive accounts