Skip to content

LDAP automatic user provisioning #20033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

LDAP automatic user provisioning #20033

wants to merge 13 commits into from

Conversation

mikeCRL
Copy link
Contributor

@mikeCRL mikeCRL commented Jul 31, 2025

DOC-11247

Documents the new LDAP automatic user provisioning feature in CockroachDB v25.3 and updates command reference pages to reflect changes to SHOW USERS/ROLES output format.

Key features documented

  • server.provisioning.ldap.enabled cluster setting
  • PROVISIONSRC role option format: ldap:<server>
  • Restrictions on auto-provisioned users (no password changes, immutable PROVISIONSRC role option)
  • CREATE/SHOW USER/ROLE output: new estimated_last_login_time tracking column, options output now as array: NOLOGIN, FOO{NOLOGIN,FOO}
  • User cleanup workflows for AD-removed accounts with PowerShell example

Preview

Changes made

LDAP Documentation

  • Added preview callout that was needed across all pages

v25.3/ldap-authentication.md:

  • Added automatic user provisioning option with server.provisioning.ldap.enabled setting
  • Added recommendation to enable LDAP Authorization before auto-provisioning
  • Added "Managing auto-provisioned users" section with specific queries to filter by PROVISIONSRC
  • Added 3-step cleanup process for users removed from Active Directory
  • Added username validation requirements to prerequisites

v25.3/ldap-authorization.md:

  • Added advice to create CRDB roles before enabling auto-provisioning

v25.2 LDAP pages:

  • Added callout pointing to v25.3 for auto-provisioning capabilities
  • Fixed cross-version references

Release notes

Command Reference Updates

Updated 21 example SHOW/CREATE USER/ROLE output tables across 6 files to use new array format for options column and add estimated_last_login_time column.

TODOs

  • Backport v25.2 changes to v24.3 and v25.1. All three of these versions, which support LDAP functionality, did not receive the new 25.3 enhancements.
  • Enhancements suggested by Eng reviewer, which may be non-blocking if we need to merge, then iterate:
    • Consider adding estimated_last_login_time auditing guidance to security documentation (either
      Security Overview or [Authorization Best Practices](https://www.
      cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices),
      and later expanding provisioning coverage further for future JWT support in v25.4
    • Add query examples using estimated_last_login_time filtering for identifying dormant users in
      the cleanup/auditing section, since this column was primarily added to support deletion
      queries for inactive accounts

Copy link

netlify bot commented Jul 31, 2025

Deploy Preview for cockroachdb-api-docs canceled.

Name Link
🔨 Latest commit cdfdd74
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-api-docs/deploys/68906be3471f270008cc2da3

Copy link

netlify bot commented Jul 31, 2025

Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name Link
🔨 Latest commit cdfdd74
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-interactivetutorials-docs/deploys/68906be39523b50008080e25

Copy link

netlify bot commented Jul 31, 2025

Deploy Preview for cockroachdb-docs failed. Why did it fail? →

Name Link
🔨 Latest commit cdfdd74
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-docs/deploys/68906be3f351c00008492850

@mikeCRL mikeCRL requested a review from souravcrl July 31, 2025 06:00

- Users are created automatically upon successful LDAP authentication.
- All auto-provisioned users receive a `PROVISIONSRC` role option set to `ldap:<ldap_server>`.
- The `estimated_last_login_time` is tracked for auditing purposes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The estimated_last_login_time is tracked for all users now, so not sure if we should additionally mention that the new audit is available in security overview here: https://www.cockroachlabs.com/docs/stable/security-reference/security-overview or as an aside for authorization best practices: https://www.cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices. The security overview can also include provisioning I feel because we plan to support JWT based provisioning also from 25.4 onwards. cc: @biplav-crl @pritesh-lahoti

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving this to an issue for follow-up: DOC-14528.

SELECT * FROM [SHOW USERS] AS u
WHERE NOT EXISTS (
SELECT 1 FROM unnest(u.options) AS opt
WHERE opt LIKE 'PROVISIONSRC=ldap:%'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also include a filtering via the estimated_last_login_time option. The column was primarily added to be able to support deletion queries for dormant users and would be helpful to add to the auditing/deletion the statement clause

Copy link
Contributor Author

@mikeCRL mikeCRL Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modified one of the ## Managing auto-provisioned users sections to become ### Last-login tracking for usage and dormancy (in upcoming commit)

@mikeCRL mikeCRL requested a review from taroface August 1, 2025 15:22
Copy link

@souravcrl souravcrl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this as some of the requested items may not make sense given the feature is under preview for 25.3.

Copy link
Contributor

@taroface taroface left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM with some suggestions/comments. However, v25.2 has broken formatting on the LDAP Authentication page, so please fix before merging!


When enabled:
If LDAP authorization is enabled:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Elsewhere LDAP Authorization is capitalized. We should be consistent.

@@ -4,15 +4,19 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c
toc: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments I had on v25.2 should also apply here.

@@ -4,9 +4,13 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c
toc: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This page is broken on preview. Not sure why but often has to do with a misformatted tag:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants