diff --git a/README.md b/README.md index 9673241..af441fc 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,13 @@ clickhouse_users_custom: quota: "default", dbs: [ testu1,testu2,testu3 ] , comment: "classic user with multi dbs and multi-custom network allow password"} + - { name: "testuser4", + ldap_server: "example_ldap_server", + networks: { 192.168.0.0/24, 10.0.0.0/8 }, + profile: "default", + quota: "default", + dbs: [ testu1,testu2,testu3 ] , + comment: "external authentication using ldap_server definition"} ``` F: You can manage own quotas: @@ -172,6 +179,34 @@ clickhouse_kafka_topics_config: fetch_min_bytes: 120000 ``` +F: You can manage [LDAP Server configuration](https://clickhouse.com/docs/en/operations/external-authenticators/ldap/#ldap-server-definition) +```yaml +clickhouse_ldap_servers: + # Debug with ldapwhoami -H '' -D '' -w + example_ldap_server: + host: "ldaps.example.com" + port: "636" + bind_dn: "EXAMPLENET\\{user_name}" + verification_cooldown: "300" + enable_tls: "yes" + tls_require_cert: "demand" +``` + +F: You can manage [LDAP External User Directory](https://clickhouse.com/docs/en/operations/external-authenticators/ldap/#ldap-external-user-directory) +```yaml +# Helpful guide on https://altinity.com/blog/integrating-clickhouse-with-ldap-part-two +clickhouse_ldap_user_directories: + - server: "example_ldap_server" + roles: + - "ldap_user" + role_mapping: + base_dn: "ou=groups,dc=example,dc=com" + attribute: "CN" + scope: "subtree" + search_filter: "(&(objectClass=group)(member={user_dn}))" + prefix: "clickhouse_ +``` + F: You can manage Merge Tree config. For the list of available parameters, see [MergeTreeSettings.h](https://github.com/yandex/ClickHouse/blob/master/dbms/src/Storages/MergeTree/MergeTreeSettings.h). ```yaml clickhouse_merge_tree_config: diff --git a/templates/config.j2 b/templates/config.j2 index ac32647..1d977d9 100644 --- a/templates/config.j2 +++ b/templates/config.j2 @@ -456,4 +456,45 @@ {% endfor %} +{% if clickhouse_ldap_servers is defined %} + + {% for ldap_server in clickhouse_ldap_servers %} + <{{ ldap_server }}> + {% for key, value in clickhouse_ldap_servers[ldap_server].items() %} + {% if key == 'user_dn_detection' %} + + {{ value['base_dn'] }} + {{ value['search_filter'] }} + + {% else %} + <{{ key }}>{{ value }} + {% endif %} + {% endfor %} + + {% endfor %} + +{% endif %} + +{% if clickhouse_ldap_user_directories is defined %} + + {% for ldap_user_directory in clickhouse_ldap_user_directories %} + + {{ ldap_user_directory['server'] }} + + {% for role in ldap_user_directory['roles'] %} + <{{ role }}/> + {% endfor %} + + {% if ldap_user_directory['role_mapping'] is defined %} + + {% for key, value in ldap_user_directory['role_mapping'].items() %} + <{{ key }}>{{ value }} + {% endfor %} + + {% endif %} + + {% endfor %} + +{% endif %} + diff --git a/templates/users.j2 b/templates/users.j2 index f519648..db7cbd8 100644 --- a/templates/users.j2 +++ b/templates/users.j2 @@ -79,6 +79,9 @@ {% endfor %} {% endif %} + {% if user.ldap_server is defined %} + {{ user.ldap_server }} + {% endif %} {% endfor %}