Add ability to manage ldap configuration

README.md

@@ -90,6 +90,13 @@ clickhouse_users_custom:
           quota: "default",
           dbs: [ testu1,testu2,testu3 ] ,
           comment: "classic user with multi dbs and multi-custom network allow password"}
+      - { name: "testuser4",
+          ldap_server: "example_ldap_server",
+          networks: { 192.168.0.0/24, 10.0.0.0/8 },
+          profile: "default",
+          quota: "default",
+          dbs: [ testu1,testu2,testu3 ] ,
+          comment: "external authentication using ldap_server definition"}
 ```
 
 F: You can manage own quotas:
@@ -172,6 +179,34 @@ clickhouse_kafka_topics_config:
     fetch_min_bytes: 120000
 ```
 
+F: You can manage [LDAP Server configuration](https://clickhouse.com/docs/en/operations/external-authenticators/ldap/#ldap-server-definition)
+```yaml
+clickhouse_ldap_servers:
+  # Debug with ldapwhoami -H '<host>' -D '<bind_dn>' -w <password>
+  example_ldap_server:
+    host: "ldaps.example.com"
+    port: "636"
+    bind_dn: "EXAMPLENET\\{user_name}"
+    verification_cooldown: "300"
+    enable_tls: "yes"
+    tls_require_cert: "demand"
+```
+
+F: You can manage [LDAP External User Directory](https://clickhouse.com/docs/en/operations/external-authenticators/ldap/#ldap-external-user-directory)
+```yaml
+# Helpful guide on https://altinity.com/blog/integrating-clickhouse-with-ldap-part-two
+clickhouse_ldap_user_directories:
+  - server: "example_ldap_server"
+    roles:
+      - "ldap_user"
+    role_mapping:
+      base_dn: "ou=groups,dc=example,dc=com"
+      attribute: "CN"
+      scope: "subtree"
+      search_filter: "(&amp;(objectClass=group)(member={user_dn}))"
+      prefix: "clickhouse_
+```
+
 F: You can manage Merge Tree config. For the list of available parameters, see [MergeTreeSettings.h](https://github.com/yandex/ClickHouse/blob/master/dbms/src/Storages/MergeTree/MergeTreeSettings.h).
 ```yaml
 clickhouse_merge_tree_config:

templates/config.j2

@@ -456,4 +456,45 @@
     </kafka_{{ kafka_topic }}>
 {% endfor %}
 
+{% if clickhouse_ldap_servers is defined %}
+    <ldap_servers>
+    {% for ldap_server in clickhouse_ldap_servers %}
+        <{{ ldap_server }}>
+        {% for key, value in clickhouse_ldap_servers[ldap_server].items() %}
+            {% if key == 'user_dn_detection' %}
+            <user_dn_detection>
+                <base_dn>{{ value['base_dn'] }}</base_dn>
+                <search_filter>{{ value['search_filter'] }}</search_filter>
+            </user_dn_detection>
+            {% else %}
+            <{{ key }}>{{ value }}</{{ key }}>
+            {% endif %}
+        {% endfor %}
+        </{{ ldap_server }}>
+    {% endfor %}
+    </ldap_servers>
+{% endif %}
+
+{% if clickhouse_ldap_user_directories is defined %}
+    <user_directories>
+    {% for ldap_user_directory in clickhouse_ldap_user_directories %}
+        <ldap>
+            <server>{{ ldap_user_directory['server'] }}</server>
+            <roles>
+            {% for role in ldap_user_directory['roles'] %}
+                <{{ role }}/>
+            {% endfor %}
+            </roles>
+            {% if ldap_user_directory['role_mapping'] is defined %}
+            <role_mapping>
+            {% for key, value in ldap_user_directory['role_mapping'].items() %}
+                <{{ key }}>{{ value }}</{{ key }}>
+            {% endfor %}
+            </role_mapping>
+            {% endif %}
+        </ldap>
+    {% endfor %}
+    </user_directories>
+{% endif %}
+
 </yandex>

templates/users.j2

@@ -79,6 +79,9 @@
         {% endfor %}
         </allow_databases>
         {% endif %}
+        {% if user.ldap_server is defined %}
+        <ldap><server>{{  user.ldap_server  }}</server></ldap>
+        {% endif %}
     </{{ user.name }}>
     {% endfor %}
     </users>