LDAP automatic user provisioning

[mikeCRL]

DOC-11247

Documents the new LDAP automatic user provisioning feature in CockroachDB v25.3 and updates command reference pages to reflect changes to SHOW USERS/ROLES output format.

Key features documented

• server.provisioning.ldap.enabled cluster setting
• PROVISIONSRC role option format: ldap:<server>
• Restrictions on auto-provisioned users (no password changes, immutable PROVISIONSRC role option)
• CREATE/SHOW USER/ROLE output: new estimated_last_login_time tracking column, options output now as array: NOLOGIN, FOO → {NOLOGIN,FOO}
• User cleanup workflows for AD-removed accounts with PowerShell example

Preview

• v25.3/ldap-authentication
• v25.3/ldap-authorization
• v25.2/ldap-authentication
• v25.2/ldap-authorization

Changes made

LDAP Documentation

• Added preview callout that was needed across all pages

v25.3/ldap-authentication.md:

• Added automatic user provisioning option with server.provisioning.ldap.enabled setting
• Added recommendation to enable LDAP Authorization before auto-provisioning
• Added "Managing auto-provisioned users" section with specific queries to filter by PROVISIONSRC
• Added 3-step cleanup process for users removed from Active Directory
• Added username validation requirements to prerequisites

v25.3/ldap-authorization.md:

• Added advice to create CRDB roles before enabling auto-provisioning

v25.2 LDAP pages:

• Added callout pointing to v25.3 for auto-provisioning capabilities
• Fixed cross-version references

Release notes

• Added 2 bullets to v25.3-rc.1 SQL language changes documenting options array format and new login time column

Command Reference Updates

Updated 21 example SHOW/CREATE USER/ROLE output tables across 6 files to use new array format for options column and add estimated_last_login_time column.

• v25.3/create-role, v25.3/create-user, v25.3/show-roles, v25.3/show-users, v25.3/set-vars, v25.3/alter-default-privileges

TODOs

• Backport v25.2 changes to v24.3 and v25.1. All three of these versions, which support LDAP functionality, did not receive the new 25.3 enhancements.
• Enhancements suggested by Eng reviewer, which may be non-blocking if we need to merge, then iterate:
  • Consider adding estimated_last_login_time auditing guidance to security documentation (either
    Security Overview or [Authorization Best Practices](https://www.
    cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices),
    and later expanding provisioning coverage further for future JWT support in v25.4
  • Add query examples using estimated_last_login_time filtering for identifying dormant users in
    the cleanup/auditing section, since this column was primarily added to support deletion
    queries for inactive accounts

[netlify]

✅ Deploy Preview for cockroachdb-api-docs canceled.

Name	Link
🔨 Latest commit	cdfdd74
🔍 Latest deploy log	https://app.netlify.com/projects/cockroachdb-api-docs/deploys/68906be3471f270008cc2da3

[netlify]

✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name	Link
🔨 Latest commit	cdfdd74
🔍 Latest deploy log	https://app.netlify.com/projects/cockroachdb-interactivetutorials-docs/deploys/68906be39523b50008080e25

[github-actions]

Files changed:

• src/current/_includes/releases/v25.3/v25.3.0-rc.1.md:
  • releases/v25.3.md
• src/current/v24.3/ldap-authentication.md
• src/current/v24.3/ldap-authorization.md
• src/current/v25.1/ldap-authentication.md
• src/current/v25.1/ldap-authorization.md
• src/current/v25.2/ldap-authentication.md
• src/current/v25.2/ldap-authorization.md
• src/current/v25.3/alter-default-privileges.md
• src/current/v25.3/create-role.md
• src/current/v25.3/create-user.md
• src/current/v25.3/ldap-authentication.md
• src/current/v25.3/ldap-authorization.md
• src/current/v25.3/set-vars.md
• src/current/v25.3/show-roles.md
• src/current/v25.3/show-users.md

[netlify]

❌ Deploy Preview for cockroachdb-docs failed. Why did it fail? →

Name	Link
🔨 Latest commit	cdfdd74
🔍 Latest deploy log	https://app.netlify.com/projects/cockroachdb-docs/deploys/68906be3f351c00008492850

[souravcrl]

The estimated_last_login_time is tracked for all users now, so not sure if we should additionally mention that the new audit is available in security overview here: https://www.cockroachlabs.com/docs/stable/security-reference/security-overview or as an aside for authorization best practices: https://www.cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices. The security overview can also include provisioning I feel because we plan to support JWT based provisioning also from 25.4 onwards. cc: @biplav-crl @pritesh-lahoti

[mikeCRL]

Moving this to an issue for follow-up: DOC-14528.

[souravcrl]

Should we also include a filtering via the estimated_last_login_time option. The column was primarily added to be able to support deletion queries for dormant users and would be helpful to add to the auditing/deletion the statement clause

[mikeCRL]

Modified one of the ## Managing auto-provisioned users sections to become ### Last-login tracking for usage and dormancy (in upcoming commit)

[souravcrl]

Approving this as some of the requested items may not make sense given the feature is under preview for 25.3.

[taroface]

Overall LGTM with some suggestions/comments. However, v25.2 has broken formatting on the LDAP Authentication page, so please fix before merging!

[taroface]

Elsewhere LDAP Authorization is capitalized. We should be consistent.

[taroface]

A few comments I had on v25.2 should also apply here.

[taroface]

This page is broken on preview. Not sure why but often has to do with a misformatted tag: