LDAP authentication for universes
This page documents the preview version (v2.23). Preview includes features under active development and is for development and testing only. For production, use the stable version (v2024.1). To learn more, see Versioning.
This section describes how to configure a YugabyteDB Anywhere universe to use an LDAP server such as Active Directory with TLS.
(For information on using LDAP to authenticate with YugabyteDB Anywhere, refer to Enable YugabyteDB Anywhere authentication via LDAP.)
Bind to the LDAP server using TLS
You enable LDAP authentication in the YugabyteDB universe by setting the LDAP configuration using the --ysql_hba_conf_csv flag.
To bind to the LDAP server using TLS, include the ldaptls=1 option in the ysql_hba_conf_csv flag as per the following example:
host all yugabyte 127.0.0.1/0 password,"host all all 0.0.0.0/0 ldap ldapserver=ldapserver.example.org ldapbasedn=""dc=example,dc=org"" ldapsearchattribute=uid ldapbinddn=""cn=admin,dc=example,dc=org"" ldapbindpasswd=secret ldaptls=1"
For more information, see Edit configuration flags.
When entering the flag value in YugabyteDB Anywhere, do not enclose it in single quotes, as you would in a Linux shell.
The first host-based authentication (HBA) rule host all yugabyte 127.0.0.1/0 password allows access to the admin user (yugabyte) from localhost (127.0.0.1) using password authentication. This allows the administrator to sign in as yugabyte to set up the roles and permissions for LDAP users.
The second HBA rule configures LDAP authentication for all other user-host pairs using a search+bind configuration. The YB-TServer binds to the LDAP directory using a fixed user name and password specified with ldapbinddn and ldapbindpasswd. The search is performed over the subtree at ldapbasedn and tries to find an exact match of the attribute specified in ldapsearchattribute.
After the user is found, to verify that the credentials are correct, the server disconnects and rebinds to the directory as this user using the password specified by the client.
For more information on the ysql_hba_conf_csv flag, refer to --ysql_hba_conf_csv flag. For more information on HBA, refer to Host-based authentication.
Example
Consider the following example:
-
Configure YugabyteDB Anywhere with the
ysql_hba_conf_csvflag, as outlined in Bind to the LDAP server using TLS. -
Create a user in Active Directory and validate a successful search for that user, as follows:
ldapsearch -x -H ldaps://ldapserver.example.org -b dc=example,dc=org 'uid=adam' -D "cn=admin,dc=example,dc=org" -w adminpasswordYou should see a response similar to the following:
# extended LDIF # # LDAPv3 # base <dc=example,dc=org> with scope subtree # filter: uid=adam # requesting: ALL # adam, example.org dn: uid=adam,dc=example,dc=org objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: adam uid: adam uidNumber: 16859 gidNumber: 100 homeDirectory: /home/adam loginShell: /bin/bash gecos: adam userPassword:: e2NyeXB0fXg= shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1If instead you see a message similar to
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1), then you have a network, certificate, or binding (authentication) problem. See Troubleshoot LDAP issues. -
Create the user in YugabyteDB, as follows:
ysqlsh exampledbPassword for user yugabyte: yugabyte ysqlsh (11.2-YB-2.23.0.0-b0) Type "help" for help.exampledb=# CREATE USER adam; -
Verify that the user can authenticate to the database using LDAP, as follows:
ysqlsh -U adam exampledbPassword for user adam: supersecret ysqlsh (11.2-YB-2.23.0.0-b0) Type "help" for help.exampledb=# \conninfoExpect the following output:
You are connected to database "exampledb" as user "adam" on host "localhost" at port "5433".
Learn more
For more information on LDAP in YugabyteDB, refer to LDAP authentication.