> Security >

LDAP authentication

LDAP Authentication is similar to password authentication, except that it uses the LDAP protocol to verify the password. Therefore, before LDAP can be used for authentication, the user must already exist in the database and have appropriate permissions.

You enable LDAP authentication in the YugabyteDB cluster by setting the LDAP configuration with the --ysql_hba_conf_csv flag.

This section describes how to configure Yugabyte Platform to use an LDAP server such as Active Directory with TLS.

For more information on LDAP in YugabyteDB, refer to LDAP Authentication.

Bind to the LDAP server using TLS

To bind to the LDAP server using TLS, you set the ldaptls=1 option. Set the ysql_hba_conf_csv flag to the following value:

host all yugabyte 127.0.0.1/0 password,"host all all 0.0.0.0/0 ldap ldapserver=ldapserver.example.org ldapbasedn=""dc=example,dc=org"" ldapsearchattribute=uid ldapbinddn=""cn=admin,dc=example,dc=org"" ldapbindpasswd=secret ldaptls=1"

Set the flag in Platform as described in Edit configuration flags.

Note

When entering the flag value in Platform, do not enclose it in single quotes as you would in a Linux shell.

The first host-based authentication (HBA) rule host all yugabyte 127.0.0.1/0 password allows access to the admin user (yugabyte) from localhost (127.0.0.1) using password authentication. This allows the administrator to login as yugabyte to set up the roles (and permissions) for LDAP users.

The second HBA rule configures LDAP authentication for all other user/host pairs using a search+bind configuration. The YB-TServer will bind to the LDAP directory using a fixed username and password specified with ldapbinddn and ldapbindpasswd. The search is performed over the subtree at ldapbasedn and tries to find an exact match of the attribute specified in ldapsearchattribute.

Once the user is found, to verify that the login is correct, the server disconnects and re-binds to the directory as this user using the password specified by the client.

For more information on the ysql_hba_conf_csv flag, refer to --ysql_hba_conf_csv flag. For more information on HBA, refer to Host-based authentication.

Example

  1. Configure Yugabyte Platform with the ysql_hba_conf_csv flag as outlined in the previous section.

  2. Create a user in Active Directory, and validate a successful search for that user.

    ldapsearch -x -H ldaps://ldapserver.example.org -b dc=example,dc=org 'uid=adam' -D "cn=admin,dc=example,dc=org" -w adminpassword

    You should see a response similar to the following: 
    # extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: uid=adam
# requesting: ALL

# adam, example.org
dn: uid=adam,dc=example,dc=org
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword:: e2NyeXB0fXg=
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

    If instead you see something like ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1), then you have a network, certificate, or binding (authentication) problem.

  3. Create the user in YugabyteDB.

    % ysqlsh exampledb

    Password for user yugabyte: yugabyte
ysqlsh (11.2-YB-2.5.1.0-b0)
Type "help" for help.

    exampledb=# CREATE USER adam;

  4. Verify that the user can authenticate to the database using LDAP.

    % ysqlsh -U adam exampledb

    Password for user adam: supersecret
ysqlsh (11.2-YB-2.5.1.0-b0)
Type "help" for help.

    exampledb=# \conninfo

    You are connected to database "exampledb" as user "adam" on host "localhost" at port "5433".
Contact Us
Copyright © 2017-2022 Yugabyte, Inc. All rights reserved.