-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
126227: pgwire, ccl: add support for LDAP server authentication r=rafiss,pritesh-lahoti a=souravcrl pgwire, ccl: add support for LDAP server authentication informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}`@{CLUSTER_HOST}:26257"` --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}`@{CLUSTER_HOST}:26257"` ``` Co-authored-by: Sourav Sarangi <[email protected]>
- Loading branch information
Showing
15 changed files
with
1,102 additions
and
1 deletion.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") | ||
|
||
go_library( | ||
name = "ldapccl", | ||
srcs = [ | ||
"authentication_ldap.go", | ||
"ldap_util.go", | ||
"settings.go", | ||
], | ||
importpath = "github.com/cockroachdb/cockroach/pkg/ccl/ldapccl", | ||
visibility = ["//visibility:public"], | ||
deps = [ | ||
"//pkg/ccl/utilccl", | ||
"//pkg/clusterversion", | ||
"//pkg/security", | ||
"//pkg/security/username", | ||
"//pkg/server/telemetry", | ||
"//pkg/settings", | ||
"//pkg/settings/cluster", | ||
"//pkg/sql/pgwire", | ||
"//pkg/sql/pgwire/hba", | ||
"//pkg/sql/pgwire/identmap", | ||
"//pkg/sql/pgwire/pgcode", | ||
"//pkg/sql/pgwire/pgerror", | ||
"//pkg/util/log", | ||
"//pkg/util/syncutil", | ||
"//pkg/util/uuid", | ||
"@com_github_cockroachdb_errors//:errors", | ||
"@com_github_cockroachdb_redact//:redact", | ||
"@com_github_go_ldap_ldap_v3//:ldap", | ||
], | ||
) | ||
|
||
go_test( | ||
name = "ldapccl_test", | ||
size = "small", | ||
srcs = [ | ||
"authentication_ldap_test.go", | ||
"main_test.go", | ||
"settings_test.go", | ||
], | ||
data = glob(["testdata/**"]), | ||
embed = [":ldapccl"], | ||
deps = [ | ||
"//pkg/base", | ||
"//pkg/ccl", | ||
"//pkg/security/certnames", | ||
"//pkg/security/securityassets", | ||
"//pkg/security/securitytest", | ||
"//pkg/security/username", | ||
"//pkg/server", | ||
"//pkg/sql/pgwire/hba", | ||
"//pkg/testutils", | ||
"//pkg/testutils/serverutils", | ||
"//pkg/testutils/testcluster", | ||
"//pkg/util/leaktest", | ||
"//pkg/util/log", | ||
"//pkg/util/randutil", | ||
"@com_github_cockroachdb_errors//:errors", | ||
"@com_github_cockroachdb_redact//:redact", | ||
"@com_github_go_ldap_ldap_v3//:ldap", | ||
"@com_github_stretchr_testify//require", | ||
], | ||
) |
Oops, something went wrong.