ldap: configure LDAP as a supported method for authentication in HBA.conf #125076
Assignees
Labels
A-authentication
Pertains to authn subsystems
A-security
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-product-security
Comments
dikshant
added
C-enhancement
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jun 25, 2024
informs cockroachdb#124307, cockroachdb#125076, cockroachdb#125080, cockroachdb#125087 fixes CRDB-38815,CRDB-39221,CRDB-39222,CRDB-39227 Epic CRDB-33829 Release note(enterprise change): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` We will also add be adding `server.ldap_authentication.domain_ca` cluster setting to allow operators to set a custom CA for their domain (i.e. `example.com`). Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided password in db connection string. Example DB connection string: ``` cockroach sql --url "postgresql://{SQL_USERNAME}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jun 30, 2024
informs cockroachdb#124307, cockroachdb#125076, cockroachdb#125080, cockroachdb#125087 fixes CRDB-38815,CRDB-39221,CRDB-39222,CRDB-39227 Epic CRDB-33829 Release note(enterprise change): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e.example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. Incase of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 4, 2024
informs cockroachdb#124307, cockroachdb#125076, cockroachdb#125080, cockroachdb#125087 fixes CRDB-38815,CRDB-39221,CRDB-39222,CRDB-39227 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e.example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. Incase of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 10, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
craig bot
pushed a commit
that referenced
this issue
Jul 13, 2024
126227: pgwire, ccl: add support for LDAP server authentication r=rafiss,pritesh-lahoti a=souravcrl pgwire, ccl: add support for LDAP server authentication informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}`@{CLUSTER_HOST}:26257"` --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}`@{CLUSTER_HOST}:26257"` ``` Co-authored-by: Sourav Sarangi <[email protected]>
blathers-crl bot
pushed a commit
that referenced
this issue
Jul 13, 2024
informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
that referenced
this issue
Jul 15, 2024
informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should modify the HBA conf as a way to specify which user(s) are allowed to authenticate via LDAP. For simplicity we should force users that authenticate via LDAP to also authorize via LDAP/AD. This means supporting the following config in our HBA file
https://www.cockroachlabs.com/docs/stable/security-reference/authentication#hba-configuration-syntax
Jira issue: CRDB-39221
Epic CRDB-33829
The text was updated successfully, but these errors were encountered: