diff --git a/src/current/_includes/releases/v25.3/v25.3.0-rc.1.md b/src/current/_includes/releases/v25.3/v25.3.0-rc.1.md
index a43e59d4082..07a26fe51d2 100644
--- a/src/current/_includes/releases/v25.3/v25.3.0-rc.1.md
+++ b/src/current/_includes/releases/v25.3/v25.3.0-rc.1.md
@@ -12,6 +12,10 @@ Release Date: July 23, 2025
  [#150366][#150366]
 - The session setting `optimizer_min_row_count`, which sets a lower bound on row count estimates for relational expressions during query planning, is now set to `1` by default.
  [#150376][#150376]
+- The `options` column in the output of `SHOW ROLES` and `SHOW USERS` is now returned as an array of strings (e.g., `{NOLOGIN,CREATEDB}`) rather than as a single comma-separated string. This enables more efficient querying of role options using array functions like `unnest()`. For example: `SELECT * FROM [SHOW ROLES] AS r WHERE EXISTS (SELECT 1 FROM unnest(r.options) AS m(option) WHERE option LIKE 'SUBJECT=cn%');`
+ [#149537][#149537]
+- The `SHOW ROLES` and `SHOW USERS` commands now include an `estimated_last_login_time` column that displays the estimated timestamp of when each user last authenticated to the database. This column shows `NULL` for users who have never logged in, and for existing users after upgrading to v25.3 until their next login. The tracking is performed on a best-effort basis and may not capture every login event.
+ [#149537][#149537]
 
 <h3 id="v25-3-0-rc-1-operational-changes">Operational changes</h3>
 
@@ -50,3 +54,4 @@ Release Date: July 23, 2025
 [#149920]: https://github.com/cockroachdb/cockroach/pull/149920
 [#150296]: https://github.com/cockroachdb/cockroach/pull/150296
 [#150016]: https://github.com/cockroachdb/cockroach/pull/150016
+[#149537]: https://github.com/cockroachdb/cockroach/pull/149537
diff --git a/src/current/v24.3/ldap-authentication.md b/src/current/v24.3/ldap-authentication.md
index 019a23fbfb1..8e5dee6c95e 100644
--- a/src/current/v24.3/ldap-authentication.md
+++ b/src/current/v24.3/ldap-authentication.md
@@ -4,9 +4,13 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c
 toc: true
 ---
 
-CockroachDB supports authentication and authorization using LDAP-compatible directory services, such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+CockroachDB supports authentication and authorization using systems compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
 
-This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link v24.3/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
+This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
 
 ## Overview
 
@@ -21,12 +25,16 @@ While LDAP configuration is cluster-specific, each request to authenticate a use
   - If a matching record was found, the cluster attempts to verify the user's identity through another LDAP request, this time using the credentials (username and password) provided by that user.
   - If this LDAP bind operation succeeds, the user is authenticated to the CockroachDB cluster.
 1. Authorize the user (optional)
-  - If [LDAP authorization]({% link v24.3/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria.
+  - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, the cluster sends an additional request to retrieve the groups to which the user is assigned, using configurable criteria.
   - If group memberships are found, any existing CockroachDB roles that match these group names are assigned to the user.
 
 These requests use a node's existing connection to the LDAP server, if one is open. Otherwise, the node establishes a new connection. The connection remains open for handling additional LDAP requests until it is closed by the LDAP server, based on its timeout setting.
 
-Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections. 
+Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections.
+
+{{site.data.alerts.callout_info}}
+LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). You must manage credentials for `root` separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+{{site.data.alerts.end}}
 
 ## Configuration
 
@@ -96,17 +104,15 @@ SET CLUSTER SETTING server.ldap_authentication.client.tls_key = '<PEM_ENCODED_KE
 
 ### Step 4: Sync database users
 
+Before LDAP authentication can be enabled for a user, you must create the username directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
+
 {{site.data.alerts.callout_info}}
-LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+As of v25.3, CockroachDB can automatically provision users during their first successful LDAP authentication. Refer to the [latest version]({% link {{ site.versions.stable }}/ldap-authentication.md %}) of this page.
 {{site.data.alerts.end}}
 
-Before LDAP authentication can be used for a user, the username must be created directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
-
 For Active Directory deployments, the CockroachDB username can typically be set to match the `sAMAccountName` field from the `user` object. This field name would need to be specified in the HBA configuration using `ldapsearchattribute=sAMAccountName`.
 
-{{site.data.alerts.callout_info}}
 SQL usernames must comply with CockroachDB's [username requirements]({% link {{ page.version.version }}/create-user.md %}#user-names). Ensure that the values in the field you are using for `ldapsearchattribute` meet these requirements.
-{{site.data.alerts.end}}
 
 To create a single user:
 
@@ -196,4 +202,4 @@ Potential issues to investigate may pertain to:
 2. Use LDAPS (LDAP over TLS) in production environments.
 3. Use a restricted service account for directory searches.
 4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+5. Monitor authentication logs for unusual patterns.
\ No newline at end of file
diff --git a/src/current/v24.3/ldap-authorization.md b/src/current/v24.3/ldap-authorization.md
index b4efbb4cf9b..d269847fa5d 100644
--- a/src/current/v24.3/ldap-authorization.md
+++ b/src/current/v24.3/ldap-authorization.md
@@ -4,7 +4,11 @@ summary: Learn how to configure role-based access control (authorization) using
 toc: true
 ---
 
-You can configure your cluster to assign [roles]({% link {{ page.version.version }}/ldap-authentication.md %}) based on a user's group membership in an LDAP service, such as Active Directory or Microsoft Entra ID.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+If you manage users through a service compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory or Microsoft Entra ID, you can configure CockroachDB to automatically assign [roles]({% link {{ page.version.version }}/security-reference/authorization.md %}) to users based on LDAP group memberships, simplifying access control.
 
 When enabled:
 
@@ -14,7 +18,7 @@ When enabled:
 
 ## Prerequisites
 
-- Enable [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}).
+- Enable [LDAP authentication]({% link {{ page.version.version }}/ldap-authentication.md %}).
 
 ## Configuration
 
@@ -22,7 +26,7 @@ Before you begin, it may be useful to enable authentication logging, which can h
 
 ### Step 1: Enable LDAP Authorization
 
-Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
+Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
 
 1. `ldapsearchfilter`: Determines which users can authenticate
 2. `ldapgrouplistfilter`: Defines which groups should be considered for authorization
@@ -131,7 +135,7 @@ Potential issues to investigate may pertain to:
 ## Security Considerations
 
 1. Always keep a backup authentication method (like password) for administrative users.
-2. Use LDAPS (LDAP over TLS) in production environments.
-3. Use a restricted service account for directory searches.
-4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+1. Use LDAPS (LDAP over TLS) in production environments.
+1. Use a restricted service account for directory searches.
+1. Regularly audit LDAP group memberships.
+1. Monitor authentication logs for unusual patterns.
\ No newline at end of file
diff --git a/src/current/v25.1/ldap-authentication.md b/src/current/v25.1/ldap-authentication.md
index 019a23fbfb1..8e5dee6c95e 100644
--- a/src/current/v25.1/ldap-authentication.md
+++ b/src/current/v25.1/ldap-authentication.md
@@ -4,9 +4,13 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c
 toc: true
 ---
 
-CockroachDB supports authentication and authorization using LDAP-compatible directory services, such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+CockroachDB supports authentication and authorization using systems compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
 
-This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link v24.3/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
+This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
 
 ## Overview
 
@@ -21,12 +25,16 @@ While LDAP configuration is cluster-specific, each request to authenticate a use
   - If a matching record was found, the cluster attempts to verify the user's identity through another LDAP request, this time using the credentials (username and password) provided by that user.
   - If this LDAP bind operation succeeds, the user is authenticated to the CockroachDB cluster.
 1. Authorize the user (optional)
-  - If [LDAP authorization]({% link v24.3/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria.
+  - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, the cluster sends an additional request to retrieve the groups to which the user is assigned, using configurable criteria.
   - If group memberships are found, any existing CockroachDB roles that match these group names are assigned to the user.
 
 These requests use a node's existing connection to the LDAP server, if one is open. Otherwise, the node establishes a new connection. The connection remains open for handling additional LDAP requests until it is closed by the LDAP server, based on its timeout setting.
 
-Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections. 
+Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections.
+
+{{site.data.alerts.callout_info}}
+LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). You must manage credentials for `root` separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+{{site.data.alerts.end}}
 
 ## Configuration
 
@@ -96,17 +104,15 @@ SET CLUSTER SETTING server.ldap_authentication.client.tls_key = '<PEM_ENCODED_KE
 
 ### Step 4: Sync database users
 
+Before LDAP authentication can be enabled for a user, you must create the username directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
+
 {{site.data.alerts.callout_info}}
-LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+As of v25.3, CockroachDB can automatically provision users during their first successful LDAP authentication. Refer to the [latest version]({% link {{ site.versions.stable }}/ldap-authentication.md %}) of this page.
 {{site.data.alerts.end}}
 
-Before LDAP authentication can be used for a user, the username must be created directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
-
 For Active Directory deployments, the CockroachDB username can typically be set to match the `sAMAccountName` field from the `user` object. This field name would need to be specified in the HBA configuration using `ldapsearchattribute=sAMAccountName`.
 
-{{site.data.alerts.callout_info}}
 SQL usernames must comply with CockroachDB's [username requirements]({% link {{ page.version.version }}/create-user.md %}#user-names). Ensure that the values in the field you are using for `ldapsearchattribute` meet these requirements.
-{{site.data.alerts.end}}
 
 To create a single user:
 
@@ -196,4 +202,4 @@ Potential issues to investigate may pertain to:
 2. Use LDAPS (LDAP over TLS) in production environments.
 3. Use a restricted service account for directory searches.
 4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+5. Monitor authentication logs for unusual patterns.
\ No newline at end of file
diff --git a/src/current/v25.1/ldap-authorization.md b/src/current/v25.1/ldap-authorization.md
index b4efbb4cf9b..c8003af18c1 100644
--- a/src/current/v25.1/ldap-authorization.md
+++ b/src/current/v25.1/ldap-authorization.md
@@ -4,7 +4,11 @@ summary: Learn how to configure role-based access control (authorization) using
 toc: true
 ---
 
-You can configure your cluster to assign [roles]({% link {{ page.version.version }}/ldap-authentication.md %}) based on a user's group membership in an LDAP service, such as Active Directory or Microsoft Entra ID.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+If you manage users through a service compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory or Microsoft Entra ID, you can configure CockroachDB to automatically assign [roles]({% link {{ page.version.version }}/security-reference/authorization.md %}) to users based on LDAP group memberships, simplifying access control. 
 
 When enabled:
 
@@ -14,7 +18,7 @@ When enabled:
 
 ## Prerequisites
 
-- Enable [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}).
+- Enable [LDAP authentication]({% link {{ page.version.version }}/ldap-authentication.md %}).
 
 ## Configuration
 
@@ -22,7 +26,7 @@ Before you begin, it may be useful to enable authentication logging, which can h
 
 ### Step 1: Enable LDAP Authorization
 
-Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
+Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
 
 1. `ldapsearchfilter`: Determines which users can authenticate
 2. `ldapgrouplistfilter`: Defines which groups should be considered for authorization
@@ -131,7 +135,7 @@ Potential issues to investigate may pertain to:
 ## Security Considerations
 
 1. Always keep a backup authentication method (like password) for administrative users.
-2. Use LDAPS (LDAP over TLS) in production environments.
-3. Use a restricted service account for directory searches.
-4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+1. Use LDAPS (LDAP over TLS) in production environments.
+1. Use a restricted service account for directory searches.
+1. Regularly audit LDAP group memberships.
+1. Monitor authentication logs for unusual patterns.
\ No newline at end of file
diff --git a/src/current/v25.2/ldap-authentication.md b/src/current/v25.2/ldap-authentication.md
index 019a23fbfb1..90807cb6437 100644
--- a/src/current/v25.2/ldap-authentication.md
+++ b/src/current/v25.2/ldap-authentication.md
@@ -4,9 +4,13 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c
 toc: true
 ---
 
-CockroachDB supports authentication and authorization using LDAP-compatible directory services, such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+CockroachDB supports authentication and authorization using systems compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
 
-This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link v24.3/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
+This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
 
 ## Overview
 
@@ -21,12 +25,16 @@ While LDAP configuration is cluster-specific, each request to authenticate a use
   - If a matching record was found, the cluster attempts to verify the user's identity through another LDAP request, this time using the credentials (username and password) provided by that user.
   - If this LDAP bind operation succeeds, the user is authenticated to the CockroachDB cluster.
 1. Authorize the user (optional)
-  - If [LDAP authorization]({% link v24.3/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria.
+  - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, the cluster sends an additional request to retrieve the groups to which the user is assigned, using configurable criteria.
   - If group memberships are found, any existing CockroachDB roles that match these group names are assigned to the user.
 
 These requests use a node's existing connection to the LDAP server, if one is open. Otherwise, the node establishes a new connection. The connection remains open for handling additional LDAP requests until it is closed by the LDAP server, based on its timeout setting.
 
-Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections. 
+Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections.
+
+{{site.data.alerts.callout_info}}
+LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). You must manage credentials for `root` separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+{{site.data.alerts.end}}
 
 ## Configuration
 
@@ -73,7 +81,7 @@ host    all    all    all    ldap    ldapserver=ldap.example.com
     "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)"';
 ~~~
 
-If you also intend to configure LDAP Authorization, you will need to include an additional LDAP parameter, `ldapgrouplistfilter`. For details, refer to [LDAP Authorization]({% link {{ page.version.version }}/ldap-authorization.md %}#configuration).
+If you also intend to configure LDAP Authorization, you will need to include an additional LDAP parameter, `ldapgrouplistfilter`. For details, refer to [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}#configuration).
 
 ### Step 3: Configure TLS (Optional)
 
@@ -96,17 +104,15 @@ SET CLUSTER SETTING server.ldap_authentication.client.tls_key = '<PEM_ENCODED_KE
 
 ### Step 4: Sync database users
 
+Before LDAP authentication can be enabled for a user, you must create the username directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
+
 {{site.data.alerts.callout_info}}
-LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+As of v25.3, CockroachDB can automatically provision users during their first successful LDAP authentication. Refer to the [latest version]({% link {{ site.versions.stable }}/ldap-authentication.md %}) of this page.
 {{site.data.alerts.end}}
 
-Before LDAP authentication can be used for a user, the username must be created directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
-
 For Active Directory deployments, the CockroachDB username can typically be set to match the `sAMAccountName` field from the `user` object. This field name would need to be specified in the HBA configuration using `ldapsearchattribute=sAMAccountName`.
 
-{{site.data.alerts.callout_info}}
 SQL usernames must comply with CockroachDB's [username requirements]({% link {{ page.version.version }}/create-user.md %}#user-names). Ensure that the values in the field you are using for `ldapsearchattribute` meet these requirements.
-{{site.data.alerts.end}}
 
 To create a single user:
 
diff --git a/src/current/v25.2/ldap-authorization.md b/src/current/v25.2/ldap-authorization.md
index b4efbb4cf9b..48915785fe9 100644
--- a/src/current/v25.2/ldap-authorization.md
+++ b/src/current/v25.2/ldap-authorization.md
@@ -4,7 +4,11 @@ summary: Learn how to configure role-based access control (authorization) using
 toc: true
 ---
 
-You can configure your cluster to assign [roles]({% link {{ page.version.version }}/ldap-authentication.md %}) based on a user's group membership in an LDAP service, such as Active Directory or Microsoft Entra ID.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+If you manage users through a service compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory or Microsoft Entra ID, you can configure CockroachDB to automatically assign [roles]({% link {{ page.version.version }}/security-reference/authorization.md %}) to users based on LDAP group memberships, simplifying access control. 
 
 When enabled:
 
@@ -14,7 +18,7 @@ When enabled:
 
 ## Prerequisites
 
-- Enable [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}).
+- Enable [LDAP authentication]({% link {{ page.version.version }}/ldap-authentication.md %}).
 
 ## Configuration
 
@@ -22,7 +26,7 @@ Before you begin, it may be useful to enable authentication logging, which can h
 
 ### Step 1: Enable LDAP Authorization
 
-Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
+Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
 
 1. `ldapsearchfilter`: Determines which users can authenticate
 2. `ldapgrouplistfilter`: Defines which groups should be considered for authorization
@@ -131,7 +135,7 @@ Potential issues to investigate may pertain to:
 ## Security Considerations
 
 1. Always keep a backup authentication method (like password) for administrative users.
-2. Use LDAPS (LDAP over TLS) in production environments.
-3. Use a restricted service account for directory searches.
-4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+1. Use LDAPS (LDAP over TLS) in production environments.
+1. Use a restricted service account for directory searches.
+1. Regularly audit LDAP group memberships.
+1. Monitor authentication logs for unusual patterns.
diff --git a/src/current/v25.3/alter-default-privileges.md b/src/current/v25.3/alter-default-privileges.md
index 27d1f426a5a..ebc97149c9b 100644
--- a/src/current/v25.3/alter-default-privileges.md
+++ b/src/current/v25.3/alter-default-privileges.md
@@ -290,11 +290,11 @@ Because `max` has no default privileges, the user can now be dropped:
 ~~~
 
 ~~~
-    username    | options | member_of
-----------------+---------+------------
-  admin         |         | {}
-  cockroachlabs |         | {}
-  root          |         | {admin}
+    username    | options | member_of | estimated_last_login_time
+----------------+---------+-----------+------------------------------
+  admin         | {}      | {}        | NULL
+  cockroachlabs | {}      | {}        | NULL
+  root          | {}      | {admin}   | NULL
 (3 rows)
 ~~~
 
diff --git a/src/current/v25.3/create-role.md b/src/current/v25.3/create-role.md
index b1acfd3e46a..f380f8e7d4b 100644
--- a/src/current/v25.3/create-role.md
+++ b/src/current/v25.3/create-role.md
@@ -68,10 +68,10 @@ $ cockroach sql --certs-dir=certs
 ~~~
 
 ~~~
-username | options | member_of
----------+---------+------------
-admin    |         | {}
-root     |         | {admin}
+username | options | member_of | estimated_last_login_time
+---------+---------+-----------+------------------------------
+admin    | {}      | {}        | NULL
+root     | {}      | {admin}   | NULL
 (2 rows)
 ~~~
 
@@ -92,11 +92,11 @@ SHOW ROLES;
 ~~~
 
 ~~~
- username  | options | member_of
- ----------+---------+------------
-admin      |         | {}
-no_options | NOLOGIN | {}
-root       |         | {admin}
+username   | options   | member_of | estimated_last_login_time
+-----------+-----------+-----------+------------------------------
+admin      | {}        | {}        | NULL
+no_options | {NOLOGIN} | {}        | NULL
+root       | {}        | {admin}   | NULL
 (3 rows)
 ~~~
 
@@ -113,12 +113,12 @@ SHOW ROLES;
 ~~~
 
 ~~~
- username  |                options                | member_of
------------+---------------------------------------+------------
-admin      |                                       | {}
-can_login  | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-no_options | NOLOGIN                               | {}
-root       |                                       | {admin}
+ username  |                     options                     | member_of | estimated_last_login_time
+-----------+-------------------------------------------------+-----------+------------------------------
+admin      | {}                                              | {}        | NULL
+can_login  | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+no_options | {NOLOGIN}                                       | {}        | NULL
+root       | {}                                              | {admin}   | NULL
 (4 rows)
 ~~~
 
@@ -136,13 +136,13 @@ SHOW ROLES;
 ~~~
 
 ~~~
- username  |                options                | member_of
------------+---------------------------------------+------------
-admin      |                                       | {}
-can_login  | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-no_options | NOLOGIN                               | {}
-no_password| NOLOGIN                               | {}
-root       |                                       | {admin}
+ username  |                     options                     | member_of | estimated_last_login_time
+-----------+-------------------------------------------------+-----------+------------------------------
+admin      | {}                                              | {}        | NULL
+can_login  | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+no_options | {NOLOGIN}                                       | {}        | NULL
+no_password| {NOLOGIN}                                       | {}        | NULL
+root       | {}                                              | {admin}   | NULL
 (5 rows)
 ~~~
 
@@ -159,14 +159,14 @@ SHOW ROLES;
 ~~~
 
 ~~~
-   username     |                options                | member_of
-----------------+---------------------------------------+------------
-admin           |                                       | {}
-can_create_role | CREATELOGIN, CREATEROLE, NOLOGIN      | {}
-can_login       | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-no_options      | NOLOGIN                               | {}
-no_password     | NOLOGIN                               | {}
-root            |                                       | {admin}
+   username     |                     options                     | member_of | estimated_last_login_time
+----------------+-------------------------------------------------+-----------+------------------------------
+admin           | {}                                              | {}        | NULL
+can_create_role | {CREATELOGIN,CREATEROLE,NOLOGIN}                | {}        | NULL
+can_login       | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+no_options      | {NOLOGIN}                                       | {}        | NULL
+no_password     | {NOLOGIN}                                       | {}        | NULL
+root            | {}                                              | {admin}   | NULL
 (6 rows)
 ~~~
 
@@ -183,15 +183,15 @@ SHOW ROLES;
 ~~~
 
 ~~~
-      username        |                options                | member_of
-----------------------+---------------------------------------+------------
-admin                 |                                       | {}
-can_create_db         | CREATEDB, NOLOGIN                     | {}
-can_create_role       | CREATELOGIN, CREATEROLE, NOLOGIN      | {}
-can_login             | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-no_options            | NOLOGIN                               | {}
-no_password           | NOLOGIN                               | {}
-root                  |                                       | {admin}
+      username        |                     options                     | member_of | estimated_last_login_time
+----------------------+-------------------------------------------------+-----------+------------------------------
+admin                 | {}                                              | {}        | NULL
+can_create_db         | {CREATEDB,NOLOGIN}                              | {}        | NULL
+can_create_role       | {CREATELOGIN,CREATEROLE,NOLOGIN}                | {}        | NULL
+can_login             | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+no_options            | {NOLOGIN}                                       | {}        | NULL
+no_password           | {NOLOGIN}                                       | {}        | NULL
+root                  | {}                                              | {admin}   | NULL
 (7 rows)
 ~~~
 
@@ -208,17 +208,17 @@ SHOW ROLES;
 ~~~
 
 ~~~
-      username        |                options                | member_of
-----------------------+---------------------------------------+------------
-admin                 |                                       | {}
-can_control_job       | CONTROLJOB, NOLOGIN                   | {}
-can_create_db         | CREATEDB, NOLOGIN                     | {}
-can_create_role       | CREATELOGIN, CREATEROLE, NOLOGIN      | {}
-can_login             | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-manage_auth_for_roles | CREATELOGIN, NOLOGIN                  | {}
-no_options            | NOLOGIN                               | {}
-no_password           | NOLOGIN                               | {}
-root                  |                                       | {admin}
+      username        |                     options                     | member_of | estimated_last_login_time
+----------------------+-------------------------------------------------+-----------+------------------------------
+admin                 | {}                                              | {}        | NULL
+can_control_job       | {CONTROLJOB,NOLOGIN}                            | {}        | NULL
+can_create_db         | {CREATEDB,NOLOGIN}                              | {}        | NULL
+can_create_role       | {CREATELOGIN,CREATEROLE,NOLOGIN}                | {}        | NULL
+can_login             | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+manage_auth_for_roles | {CREATELOGIN,NOLOGIN}                           | {}        | NULL
+no_options            | {NOLOGIN}                                       | {}        | NULL
+no_password           | {NOLOGIN}                                       | {}        | NULL
+root                  | {}                                              | {admin}   | NULL
 (8 rows)
 ~~~
 
@@ -235,17 +235,17 @@ SHOW ROLES;
 ~~~
 
 ~~~
-      username        |                options                | member_of
-----------------------+---------------------------------------+------------
-admin                 |                                       | {}
-can_control_job       | CONTROLJOB, NOLOGIN                   | {}
-can_create_db         | CREATEDB, NOLOGIN                     | {}
-can_create_role       | CREATELOGIN, CREATEROLE, NOLOGIN      | {}
-can_login             | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-can_manage_queries    | CANCELQUERY, NOLOGIN, VIEWACTIVITY    | {}
-no_options            | NOLOGIN                               | {}
-no_password           | NOLOGIN                               | {}
-root                  |                                       | {admin}
+      username        |                     options                     | member_of | estimated_last_login_time
+----------------------+-------------------------------------------------+-----------+------------------------------
+admin                 | {}                                              | {}        | NULL
+can_control_job       | {CONTROLJOB,NOLOGIN}                            | {}        | NULL
+can_create_db         | {CREATEDB,NOLOGIN}                              | {}        | NULL
+can_create_role       | {CREATELOGIN,CREATEROLE,NOLOGIN}                | {}        | NULL
+can_login             | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+can_manage_queries    | {CANCELQUERY,NOLOGIN,VIEWACTIVITY}              | {}        | NULL
+no_options            | {NOLOGIN}                                       | {}        | NULL
+no_password           | {NOLOGIN}                                       | {}        | NULL
+root                  | {}                                              | {admin}   | NULL
 (9 rows)
 ~~~
 
@@ -262,18 +262,18 @@ SHOW ROLES;
 ~~~
 
 ~~~
-       username        |                options                | member_of
------------------------+---------------------------------------+------------
-admin                  |                                       | {}
-can_control_changefeed | CONTROLCHANGEFEED, NOLOGIN            | {}
-can_control_job        | CONTROLJOB, NOLOGIN                   | {}
-can_create_db          | CREATEDB, NOLOGIN                     | {}
-can_create_role        | CREATELOGIN, CREATEROLE, NOLOGIN      | {}
-can_login              | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-can_manage_queries     | CANCELQUERY, NOLOGIN, VIEWACTIVITY    | {}
-no_options             | NOLOGIN                               | {}
-no_password            | NOLOGIN                               | {}
-root                   |                                       | {admin}
+       username        |                     options                     | member_of | estimated_last_login_time
+-----------------------+-------------------------------------------------+-----------+------------------------------
+admin                  | {}                                              | {}        | NULL
+can_control_changefeed | {CONTROLCHANGEFEED,NOLOGIN}                     | {}        | NULL
+can_control_job        | {CONTROLJOB,NOLOGIN}                            | {}        | NULL
+can_create_db          | {CREATEDB,NOLOGIN}                              | {}        | NULL
+can_create_role        | {CREATELOGIN,CREATEROLE,NOLOGIN}                | {}        | NULL
+can_login              | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+can_manage_queries     | {CANCELQUERY,NOLOGIN,VIEWACTIVITY}              | {}        | NULL
+no_options             | {NOLOGIN}                                       | {}        | NULL
+no_password            | {NOLOGIN}                                       | {}        | NULL
+root                   | {}                                              | {admin}   | NULL
 (10 rows)
 ~~~
 
@@ -290,19 +290,19 @@ SHOW ROLES;
 ~~~
 
 ~~~
-         username          |                options                | member_of
----------------------------+---------------------------------------+------------
-admin                      |                                       | {}
-can_control_changefeed     | CONTROLCHANGEFEED, NOLOGIN            | {}
-can_control_job            | CONTROLJOB, NOLOGIN                   | {}
-can_create_db              | CREATEDB, NOLOGIN                     | {}
-can_create_role            | CREATELOGIN, CREATEROLE, NOLOGIN      | {}
-can_login                  | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
-can_manage_queries         | CANCELQUERY, NOLOGIN, VIEWACTIVITY    | {}
-can_modify_cluster_setting | MODIFYCLUSTERSETTING, NOLOGIN         | {}
-no_options                 | NOLOGIN                               | {}
-no_password                | NOLOGIN                               | {}
-root                       |                                       | {admin}
+         username          |                     options                     | member_of | estimated_last_login_time
+---------------------------+-------------------------------------------------+-----------+------------------------------
+admin                      | {}                                              | {}        | NULL
+can_control_changefeed     | {CONTROLCHANGEFEED,NOLOGIN}                     | {}        | NULL
+can_control_job            | {CONTROLJOB,NOLOGIN}                            | {}        | NULL
+can_create_db              | {CREATEDB,NOLOGIN}                              | {}        | NULL
+can_create_role            | {CREATELOGIN,CREATEROLE,NOLOGIN}                | {}        | NULL
+can_login                  | {VALID UNTIL=2025-10-10 00:00:00+00:00}         | {}        | NULL
+can_manage_queries         | {CANCELQUERY,NOLOGIN,VIEWACTIVITY}              | {}        | NULL
+can_modify_cluster_setting | {MODIFYCLUSTERSETTING,NOLOGIN}                  | {}        | NULL
+no_options                 | {NOLOGIN}                                       | {}        | NULL
+no_password                | {NOLOGIN}                                       | {}        | NULL
+root                       | {}                                              | {admin}   | NULL
 (11 rows)
 ~~~
 
diff --git a/src/current/v25.3/create-user.md b/src/current/v25.3/create-user.md
index 0d9643a335d..fa26510cc33 100644
--- a/src/current/v25.3/create-user.md
+++ b/src/current/v25.3/create-user.md
@@ -73,10 +73,10 @@ $ cockroach sql --certs-dir=certs
 ~~~
 
 ~~~
-username | options | member_of
----------+---------+------------
-admin    |         | {}
-root     |         | {admin}
+username | options | member_of | estimated_last_login_time
+---------+---------+-----------+------------------------------
+admin    | {}      | {}        | NULL
+root     | {}      | {admin}   | NULL
 (2 rows)
 ~~~
 
@@ -97,11 +97,11 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
- username  | options | member_of
--------------+---------+------------
-admin      |         | {}
-no_options |         | {}
-root       |         | {admin}
+ username  | options | member_of | estimated_last_login_time
+-----------+---------+-----------+------------------------------
+admin      | {}      | {}        | NULL
+no_options | {}      | {}        | NULL
+root       | {}      | {admin}   | NULL
 (3 rows)
 ~~~
 
@@ -121,12 +121,12 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-  username    |                options                | member_of
---------------+---------------------------------------+------------
-admin         |                                       | {}
-no_options    |                                       | {}
-root          |                                       | {admin}
-with_password | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+  username    |                  options                  | member_of | estimated_last_login_time
+--------------+-------------------------------------------+-----------+------------------------------
+admin         | {}                                        | {}        | NULL
+no_options    | {}                                        | {}        | NULL
+root          | {}                                        | {admin}   | NULL
+with_password | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (4 rows)
 ~~~
 
@@ -144,13 +144,13 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-  username    |                options                | member_of
---------------+---------------------------------------+------------
-admin         |                                       | {}
-no_options    |                                       | {}
-no_password   |                                       | {}
-root          |                                       | {admin}
-with_password | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+  username    |                  options                  | member_of | estimated_last_login_time
+--------------+-------------------------------------------+-----------+------------------------------
+admin         | {}                                        | {}        | NULL
+no_options    | {}                                        | {}        | NULL
+no_password   | {}                                        | {}        | NULL
+root          | {}                                        | {admin}   | NULL
+with_password | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (5 rows)
 ~~~
 
@@ -167,14 +167,14 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-    username     |                options                | member_of
------------------+---------------------------------------+------------
-admin            |                                       | {}
-can_create_users | CREATELOGIN, CREATEROLE               | {}
-no_options       |                                       | {}
-no_password      |                                       | {}
-root             |                                       | {admin}
-with_password    | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+    username     |                  options                  | member_of | estimated_last_login_time
+-----------------+-------------------------------------------+-----------+------------------------------
+admin            | {}                                        | {}        | NULL
+can_create_users | {CREATELOGIN,CREATEROLE}                  | {}        | NULL
+no_options       | {}                                        | {}        | NULL
+no_password      | {}                                        | {}        | NULL
+root             | {}                                        | {admin}   | NULL
+with_password    | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (6 rows)
 ~~~
 
@@ -191,15 +191,15 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-      username        |                options                | member_of
-----------------------+---------------------------------------+------------
-admin                 |                                       | {}
-can_create_db         | CREATEDB                              | {}
-can_create_users      | CREATELOGIN, CREATEROLE               | {}
-no_options            |                                       | {}
-no_password           |                                       | {}
-root                  |                                       | {admin}
-with_password         | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+      username        |                  options                  | member_of | estimated_last_login_time
+----------------------+-------------------------------------------+-----------+------------------------------
+admin                 | {}                                        | {}        | NULL
+can_create_db         | {CREATEDB}                                | {}        | NULL
+can_create_users      | {CREATELOGIN,CREATEROLE}                  | {}        | NULL
+no_options            | {}                                        | {}        | NULL
+no_password           | {}                                        | {}        | NULL
+root                  | {}                                        | {admin}   | NULL
+with_password         | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (7 rows)
 ~~~
 
@@ -216,16 +216,16 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-      username        |                options                | member_of
-----------------------+---------------------------------------+------------
-admin                 |                                       | {}
-can_control_job       | CONTROLJOB                            | {}
-can_create_db         | CREATEDB                              | {}
-can_create_users      | CREATELOGIN, CREATEROLE               | {}
-no_options            |                                       | {}
-no_password           |                                       | {}
-root                  |                                       | {admin}
-with_password         | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+      username        |                  options                  | member_of | estimated_last_login_time
+----------------------+-------------------------------------------+-----------+------------------------------
+admin                 | {}                                        | {}        | NULL
+can_control_job       | {CONTROLJOB}                              | {}        | NULL
+can_create_db         | {CREATEDB}                                | {}        | NULL
+can_create_users      | {CREATELOGIN,CREATEROLE}                  | {}        | NULL
+no_options            | {}                                        | {}        | NULL
+no_password           | {}                                        | {}        | NULL
+root                  | {}                                        | {admin}   | NULL
+with_password         | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (8 rows)
 ~~~
 
@@ -242,17 +242,17 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-      username        |                options                | member_of
-----------------------+---------------------------------------+------------
-admin                 |                                       | {}
-can_control_job       | CONTROLJOB                            | {}
-can_create_db         | CREATEDB                              | {}
-can_create_users      | CREATELOGIN, CREATEROLE               | {}
-can_manage_queries    | CANCELQUERY, VIEWACTIVITY             | {}
-no_options            |                                       | {}
-no_password           |                                       | {}
-root                  |                                       | {admin}
-with_password         | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+      username        |                  options                  | member_of | estimated_last_login_time
+----------------------+-------------------------------------------+-----------+------------------------------
+admin                 | {}                                        | {}        | NULL
+can_control_job       | {CONTROLJOB}                              | {}        | NULL
+can_create_db         | {CREATEDB}                                | {}        | NULL
+can_create_users      | {CREATELOGIN,CREATEROLE}                  | {}        | NULL
+can_manage_queries    | {CANCELQUERY,VIEWACTIVITY}                | {}        | NULL
+no_options            | {}                                        | {}        | NULL
+no_password           | {}                                        | {}        | NULL
+root                  | {}                                        | {admin}   | NULL
+with_password         | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (9 rows)
 ~~~
 
@@ -269,18 +269,18 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-       username        |                options                | member_of
------------------------+---------------------------------------+------------
-admin                  |                                       | {}
-can_control_changefeed | CONTROLCHANGEFEED                     | {}
-can_control_job        | CONTROLJOB                            | {}
-can_create_db          | CREATEDB                              | {}
-can_create_users       | CREATELOGIN, CREATEROLE               | {}
-can_manage_queries     | CANCELQUERY, VIEWACTIVITY             | {}
-no_options             |                                       | {}
-no_password            |                                       | {}
-root                   |                                       | {admin}
-with_password          | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+       username        |                  options                  | member_of | estimated_last_login_time
+-----------------------+-------------------------------------------+-----------+------------------------------
+admin                  | {}                                        | {}        | NULL
+can_control_changefeed | {CONTROLCHANGEFEED}                       | {}        | NULL
+can_control_job        | {CONTROLJOB}                              | {}        | NULL
+can_create_db          | {CREATEDB}                                | {}        | NULL
+can_create_users       | {CREATELOGIN,CREATEROLE}                  | {}        | NULL
+can_manage_queries     | {CANCELQUERY,VIEWACTIVITY}                | {}        | NULL
+no_options             | {}                                        | {}        | NULL
+no_password            | {}                                        | {}        | NULL
+root                   | {}                                        | {admin}   | NULL
+with_password          | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (10 rows)
 ~~~
 
@@ -297,19 +297,19 @@ root@:26257/defaultdb> SHOW USERS;
 ~~~
 
 ~~~
-         username          |                options                | member_of
----------------------------+---------------------------------------+------------
-admin                      |                                       | {}
-can_control_changefeed     | CONTROLCHANGEFEED                     | {}
-can_control_job            | CONTROLJOB                            | {}
-can_create_db              | CREATEDB                              | {}
-can_create_users           | CREATELOGIN, CREATEROLE               | {}
-can_manage_queries         | CANCELQUERY, VIEWACTIVITY             | {}
-can_modify_cluster_setting | MODIFYCLUSTERSETTING                  | {}
-no_options                 |                                       | {}
-no_password                |                                       | {}
-root                       |                                       | {admin}
-with_password              | VALID UNTIL=2021-10-10 00:00:00+00:00 | {}
+         username          |                  options                  | member_of | estimated_last_login_time
+---------------------------+-------------------------------------------+-----------+------------------------------
+admin                      | {}                                        | {}        | NULL
+can_control_changefeed     | {CONTROLCHANGEFEED}                       | {}        | NULL
+can_control_job            | {CONTROLJOB}                              | {}        | NULL
+can_create_db              | {CREATEDB}                                | {}        | NULL
+can_create_users           | {CREATELOGIN,CREATEROLE}                  | {}        | NULL
+can_manage_queries         | {CANCELQUERY,VIEWACTIVITY}                | {}        | NULL
+can_modify_cluster_setting | {MODIFYCLUSTERSETTING}                    | {}        | NULL
+no_options                 | {}                                        | {}        | NULL
+no_password                | {}                                        | {}        | NULL
+root                       | {}                                        | {admin}   | NULL
+with_password              | {VALID UNTIL=2025-10-10 00:00:00+00:00}   | {}        | NULL
 (11 rows)
 ~~~
 
diff --git a/src/current/v25.3/ldap-authentication.md b/src/current/v25.3/ldap-authentication.md
index 019a23fbfb1..dabf06d9482 100644
--- a/src/current/v25.3/ldap-authentication.md
+++ b/src/current/v25.3/ldap-authentication.md
@@ -4,15 +4,19 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c
 toc: true
 ---
 
-CockroachDB supports authentication and authorization using LDAP-compatible directory services, such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+CockroachDB supports authentication and authorization using systems compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory and Microsoft Entra ID. This allows you to integrate your cluster with your organization's existing identity infrastructure for centralized user management and access control.
 
-This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link v24.3/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
+This page describes how to configure CockroachDB user authentication using LDAP. You can additionally configure CockroachDB to use the same directory service for user [authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) (role-based access control), which assigns CockroachDB roles to users based on their group memberships in the directory.
 
 ## Overview
 
 LDAP authentication in CockroachDB works with LDAP-compatible directory services, including Microsoft Entra ID, Active Directory, and OpenLDAP. Secure LDAPS connectivity over TLS is required.
 
-While LDAP configuration is cluster-specific, each request to authenticate a user in CockroachDB is handled by the node that receives it. When LDAP is enabled, the node handles each authentication request  using a "search and bind" approach:
+While LDAP configuration is cluster-specific, each request to authenticate a user in CockroachDB is handled by the node that receives it. When LDAP is enabled, the node handles each authentication request using a "search and bind" approach:
 
 1. Find the user record
   - The node connects to the LDAP server using a dedicated directory access account.
@@ -21,12 +25,16 @@ While LDAP configuration is cluster-specific, each request to authenticate a use
   - If a matching record was found, the cluster attempts to verify the user's identity through another LDAP request, this time using the credentials (username and password) provided by that user.
   - If this LDAP bind operation succeeds, the user is authenticated to the CockroachDB cluster.
 1. Authorize the user (optional)
-  - If [LDAP authorization]({% link v24.3/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria.
+  - If [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}) is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria.
   - If group memberships are found, any existing CockroachDB roles that match these group names are assigned to the user.
 
 These requests use a node's existing connection to the LDAP server, if one is open. Otherwise, the node establishes a new connection. The connection remains open for handling additional LDAP requests until it is closed by the LDAP server, based on its timeout setting.
 
-Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections. 
+Because CockroachDB maintains no more than one LDAP connection per node, for a cluster with `n` nodes, you can expect up to `n` concurrent LDAP connections.
+
+{{site.data.alerts.callout_info}}
+LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
+{{site.data.alerts.end}}
 
 ## Configuration
 
@@ -36,18 +44,19 @@ Because CockroachDB maintains no more than one LDAP connection per node, for a c
 - Network connectivity on port 636 for LDAPS.
 - A service account (bind DN) with permissions to search the directory for basic information about users and groups. For example, in Microsoft Entra ID, a [service principal](https://learn.microsoft.com/entra/architecture/secure-service-accounts) with the Directory Readers role.
 - The LDAP server's CA certificate, if using a custom CA not already trusted by the CockroachDB host.
+- Verification that the attribute values that will become CockroachDB usernames meet the CockroachDB [requirements for usernames]({% link {{ page.version.version }}/create-user.md %}#user-names).
 
 Before you begin, it may be useful to enable authentication logging, which can help you confirm successful configuration or troubleshoot issues. For details, refer to [Troubleshooting](#troubleshooting).
 
 ### Step 1: Enable redaction of sensitive cluster settings
 
-You will set LDAP bind credentials for the service account that enables this integration using the cluster setting `server.host_based_authentication.configuration`. You will also configure the mapping of external identities to CockroachDB SQL users using the cluster settings `server.identity_map.configuration`.
+For this integration, you will need to store LDAP bind credentials for the service account that enables the integration in the [cluster setting `server.host_based_authentication.configuration`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-server-host-based-authentication-configuration). You will also configure the mapping of external identities to CockroachDB SQL users with the [cluster setting `server.identity_map.configuration`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-server-identity-map-configuration). In addition, for a custom CA configuration, you may need to store certificate and key details in the cluster settings specified in the optional [Step 3: Configure TLS](#step-3-configure-tls-optional). 
 	
-To redact these two settings, refer to [Sensitive settings]({% link {{ page.version.version }}/cluster-settings.md %}#sensitive-settings).
+It is highly recommended that you redact these settings, so that only authorized users, such as members of the `admin` role, can view them. To enable this redaction and learn about its permission scheme, refer to [Sensitive settings]({% link {{ page.version.version }}/cluster-settings.md %}#sensitive-settings).
 
 ### Step 2: Configure Host-Based Authentication (HBA)
 
-To enable LDAP, you will need to update the [host-based authentication (HBA)]({% link {{ page.version.version }}/security-reference/authentication.md %}#authentication-configuration) configuration specified in the cluster setting `server.host_based_authentication.configuration`.
+To enable LDAP, you will need to update the [host-based authentication (HBA)]({% link {{ page.version.version }}/security-reference/authentication.md %}#authentication-configuration) configuration specified in the [cluster setting `server.host_based_authentication.configuration`]({% link {{ page.version.version }}/cluster-settings.md %}#setting-server-host-based-authentication-configuration).
 
 Set the authentication method for all users and databases to `ldap` and include the LDAP-specific option parameters:
 
@@ -79,14 +88,14 @@ If you also intend to configure LDAP Authorization, you will need to include an
 
 If, for LDAPS, you are using a certificate signed by a custom Certificate Authority (CA) that is not in the system's trusted CA store, you will need to configure the CA certificate. This step is only necessary when using certificates signed by your organization's private CA or other untrusted CA.
 
-Set the custom CA certificate:
+**Set the custom CA certificate:**
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
-SET CLUSTER SETTING server.ldap_authentication.domain_ca = '<PEM_ENCODED_CA_CERT>';
+SET CLUSTER SETTING server.ldap_authentication.domain.custom_ca = '<PEM_ENCODED_CA_CERT>';
 ~~~
 
-Configure a client certificate for mTLS if required:
+**Configure a client certificate for mTLS if required:**
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
@@ -94,20 +103,40 @@ SET CLUSTER SETTING server.ldap_authentication.client.tls_certificate = '<PEM_EN
 SET CLUSTER SETTING server.ldap_authentication.client.tls_key = '<PEM_ENCODED_KEY>';
 ~~~
 
-### Step 4: Sync database users
+### Step 4: Configure user creation
 
-{{site.data.alerts.callout_info}}
-LDAP authentication cannot be used for the `root` user or other [reserved identities]({% link {{ page.version.version }}/security-reference/authorization.md %}#reserved-identities). Credentials for `root` must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability.
-{{site.data.alerts.end}}
+CockroachDB supports two approaches for the creation of users who will authenticate via LDAP:
 
-Before LDAP authentication can be used for a user, the username must be created directly in CockroachDB. You will need to establish an automated method for keeping users in sync with the directory server, creating and dropping them as needed.
+#### Option 1: Automatic user provisioning (recommended)
 
-For Active Directory deployments, the CockroachDB username can typically be set to match the `sAMAccountName` field from the `user` object. This field name would need to be specified in the HBA configuration using `ldapsearchattribute=sAMAccountName`.
+{% include_cached new-in.html version="v25.3" %} With automatic user provisioning, CockroachDB creates users automatically during their first successful LDAP authentication. This eliminates the need for custom scripting to create user accounts.
+
+When enabled:
+
+- Users are created automatically upon successful LDAP authentication.
+- All auto-provisioned users receive a `PROVISIONSRC` role option set to `ldap:{ldap_server}`.
+- The `estimated_last_login_time` is tracked for auditing purposes.
+- Auto-provisioned users cannot change their own passwords (managed via LDAP only).
+
+For Active Directory deployments, the CockroachDB username will match the `sAMAccountName` field from the `user` object. Specify this field name with `ldapsearchattribute=sAMAccountName` in the HBA configuration. Ensure that the values in the field you are using for `ldapsearchattribute` meet the CockroachDB [requirements for usernames]({% link {{ page.version.version }}/create-user.md %}#user-names).
 
 {{site.data.alerts.callout_info}}
-SQL usernames must comply with CockroachDB's [username requirements]({% link {{ page.version.version }}/create-user.md %}#user-names). Ensure that the values in the field you are using for `ldapsearchattribute` meet these requirements.
+Before you enable automatic user provisioning, it is recommended that you enable [LDAP authorization]({% link {{ page.version.version }}/ldap-authorization.md %}). This ensures that upon initial login, new CockroachDB users are members of the intended CockroachDB roles, with the privileges they confer, according to users' group memberships in the directory. Otherwise, functionality may be limited for a new user until your alternative process applies roles or privileges.
+
+If you choose to manage CockroachDB role memberships and privileges directly, you could script the required [`GRANT`]({% link {{ page.version.version }}/grant.md %}) commands to be [executed]({% link {{ page.version.version }}/cockroach-sql.md %}#general) as needed.
 {{site.data.alerts.end}}
 
+**To enable automatic user provisioning:**
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+SET CLUSTER SETTING server.provisioning.ldap.enabled = true;
+~~~
+
+#### Option 2: Manual/scripted user creation
+
+Alternatively, you can manage users by directly creating them before LDAP authentication is used. This approach provides explicit control over user creation.
+
 To create a single user:
 
 {% include_cached copy-clipboard.html %}
@@ -161,12 +190,146 @@ cockroach sql --url "postgresql://username:ldap_password@host:26257" --certs-dir
 
 ### DB Console connection with LDAP authentication
 
-If LDAP authentication is configured, DB Console access will also use this configuration, allowing users to log in with their SQL username and LDAP password. During a login attempt, the system checks if LDAP authentication is configured for the user in the HBA configuration. If so, it validates the credentials against the LDAP server. If LDAP authentication fails or is not configured, the system falls back to password authentication.
+If LDAP authentication is configured, DB Console access will also use this configuration, allowing users to log in with their SQL username and LDAP password. During a login attempt, the system checks if LDAP authentication is configured for the user in the HBA configuration. If so, it validates the credentials against the LDAP server. If automatic user provisioning is enabled, users will be created automatically during their first successful login. If LDAP authentication fails or is not configured, the system falls back to password authentication.
 
 {{site.data.alerts.callout_info}}
 Authorization (role-based access control) is not applied when logging in to DB Console.
 {{site.data.alerts.end}}
 
+## Managing auto-provisioned users
+
+When automatic user provisioning is enabled, you can identify and manage auto-provisioned users using the following methods:
+
+### Viewing provisioned users
+
+Auto-provisioned users can be identified by their `PROVISIONSRC` role option:
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+-- View all auto-provisioned users (users with PROVISIONSRC role option)
+SELECT * FROM [SHOW USERS] AS u 
+WHERE EXISTS (
+  SELECT 1 FROM unnest(u.options) AS opt 
+  WHERE opt LIKE 'PROVISIONSRC=ldap:%'
+);
+~~~
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+-- View all manually created users (users without PROVISIONSRC role option)
+SELECT * FROM [SHOW USERS] AS u 
+WHERE NOT EXISTS (
+  SELECT 1 FROM unnest(u.options) AS opt 
+  WHERE opt LIKE 'PROVISIONSRC=ldap:%'
+);
+~~~
+
+### Last-login tracking for usage and dormancy
+
+{% include_cached new-in.html version="v25.3" %} The `estimated_last_login_time` column in the output of `SHOW USERS` tracks when users last authenticated. For example:
+
+~~~ 
+     username    |                options                | member_of | estimated_last_login_time  
+-----------------+---------------------------------------+-----------+----------------------------
+  admin          | {}                                    | {}        | NULL  
+  root           | {}                                    | {admin}   | 2025-06-01 11:51:29.406216+00  
+  e.codd         | {PROVISIONSRC=ldap:example.com}       | {}        | 2025-08-04 19:18:00.201402+00  
+~~~
+
+{{site.data.alerts.callout_info}}
+`estimated_last_login_time` is computed on a best-effort basis and may not capture every login event due to asynchronous updates.
+{{site.data.alerts.end}}
+
+**To identify potentially dormant auto-provisioned users:**
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+  SELECT u.username, u.estimated_last_login_time FROM [SHOW USERS]
+  AS u
+  WHERE EXISTS (
+    SELECT 1 FROM unnest(u.options) AS opt
+    WHERE opt LIKE 'PROVISIONSRC=ldap:%'
+  ) AND (
+    u.estimated_last_login_time IS NULL OR
+    u.estimated_last_login_time < NOW() - INTERVAL '90 days'
+  )
+  ORDER BY u.estimated_last_login_time DESC NULLS LAST;
+~~~
+
+### Cleaning up users removed from Active Directory
+
+Auto-provisioned users who have been removed or deactivated in Active Directory will not be automatically removed from CockroachDB. To identify and clean up these orphaned accounts:
+
+**Step 1: Export auto-provisioned users from CockroachDB**
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+-- Export list of auto-provisioned usernames for comparison with Active Directory
+SELECT u.username FROM [SHOW USERS] AS u 
+WHERE EXISTS (
+  SELECT 1 FROM unnest(u.options) AS opt 
+  WHERE opt LIKE 'PROVISIONSRC=ldap:%'
+);
+~~~
+
+**Step 2: Cross-reference with Active Directory**
+
+Use your organization's directory tools to verify which of these users still exist in Active Directory. For example, you might use PowerShell with Active Directory cmdlets:
+
+~~~ powershell
+# Example PowerShell script to check if users exist in AD
+$cockroachUsers = @("user1", "user2", "user3")  # Replace with actual usernames
+$orphanedUsers = @()
+
+foreach ($user in $cockroachUsers) {
+    try {
+        Get-ADUser -Identity $user -ErrorAction Stop | Out-Null
+    } catch {
+        $orphanedUsers += $user
+        Write-Host "User not found in AD: $user"
+    }
+}
+~~~
+
+**Step 3: Remove orphaned users**
+
+Before dropping users confirmed to no longer exist in Active Directory, check for any privileges that were granted directly to the user:
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+-- Check for direct grants to the user (privileges inherited through roles won't block DROP USER)  
+SHOW GRANTS FOR username;
+~~~
+
+If any direct grants exist, revoke them before dropping the user. For users confirmed to no longer exist in Active Directory:
+
+{% include_cached copy-clipboard.html %}
+~~~ sql
+-- Remove users that no longer exist in Active Directory
+DROP USER username1, username2, username3;
+~~~
+
+{{site.data.alerts.callout_info}}
+Users cannot be dropped if they have direct privilege grants or own database objects. For complete requirements, refer to [`DROP USER`]({% link {{ page.version.version }}/drop-user.md %}). When using both automatic user provisioning and LDAP Authorization, consider granting privileges primarily through roles (mapped to AD groups) rather than directly to users to simplify cleanup operations.
+{{site.data.alerts.end}}
+
+### Restrictions on auto-provisioned users
+
+Users created through automatic provisioning have specific restrictions:
+
+- **Password changes**: Auto-provisioned users cannot change their own passwords using `ALTER USER`, even if the cluster setting `sql.auth.change_own_password.enabled` is true.
+- **PROVISIONSRC modification**: The `PROVISIONSRC` role option cannot be modified or removed once set.
+- **Authentication method**: These users must authenticate through LDAP; password-based authentication is not available.
+
+Attempting to change the password of an auto-provisioned user will result in an error:
+
+~~~ sql
+ALTER USER provisioned_user WITH PASSWORD 'newpassword';
+~~~
+~~~ 
+ERROR: user "provisioned_user" with PROVISIONSRC cannot change password
+~~~
+
 ## Troubleshooting
 
 Enable [`SESSION` logging]({% link {{ page.version.version }}/logging.md %}#sessions) to preserve data that will help troubleshoot LDAP issues.
@@ -193,7 +356,12 @@ Potential issues to investigate may pertain to:
 ## Security Considerations
 
 1. Always keep a backup authentication method (like password) for administrative users.
-2. Use LDAPS (LDAP over TLS) in production environments.
-3. Use a restricted service account for directory searches.
-4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+1. Use LDAPS (LDAP over TLS) in production environments.
+1. Use a restricted service account for directory searches.
+1. Regularly audit LDAP group memberships.
+1. Monitor authentication logs for unusual patterns.
+1. **Auto-provisioning considerations**:
+   - When enabling automatic user provisioning, ensure your LDAP search filters are restrictive to prevent unauthorized user creation.
+   - Regularly review auto-provisioned users using the `SHOW USERS` command to identify accounts that may need deprovisioning.
+   - If using LDAP Authorization, ensure all group roles are created before enabling auto-provisioning to maintain proper access control.
+   - The `estimated_last_login_time` can help identify dormant accounts that may need manual removal.
diff --git a/src/current/v25.3/ldap-authorization.md b/src/current/v25.3/ldap-authorization.md
index b4efbb4cf9b..4596b9e6dca 100644
--- a/src/current/v25.3/ldap-authorization.md
+++ b/src/current/v25.3/ldap-authorization.md
@@ -4,13 +4,18 @@ summary: Learn how to configure role-based access control (authorization) using
 toc: true
 ---
 
-You can configure your cluster to assign [roles]({% link {{ page.version.version }}/ldap-authentication.md %}) based on a user's group membership in an LDAP service, such as Active Directory or Microsoft Entra ID.
+{{site.data.alerts.callout_info}}
+{% include feature-phases/preview.md %}
+{{site.data.alerts.end}}
+
+If you manage users through a service compatible with the Lightweight Directory Access Protocol (LDAP), such as Active Directory or Microsoft Entra ID, you can configure CockroachDB to automatically assign [roles]({% link {{ page.version.version }}/security-reference/authorization.md %}) to users based on LDAP group memberships, simplifying access control. 
 
-When enabled:
+If LDAP authorization is enabled:
 
 1. When a client connects to the cluster using LDAP, the cluster looks up the user's group membership in the LDAP service.
 1. Each LDAP group is mapped to a cluster role using the group's Common Name (CN) in the LDAP service.
 1. The user is granted each corresponding role, and roles that no longer match the user's groups are revoked.
+1. {% include_cached new-in.html version="v25.3" %} In conjunction with [automatic user provisioning]({% link {{ page.version.version }}/ldap-authentication.md %}#option-1-automatic-user-provisioning-recommended) if enabled, users are created automatically during their first authentication and simultaneously receive specified role memberships.
 
 ## Prerequisites
 
@@ -20,7 +25,7 @@ When enabled:
 
 Before you begin, it may be useful to enable authentication logging, which can help you confirm sucessful configuration or troubleshoot issues. For details, refer to [Troubleshooting](#troubleshooting).
 
-### Step 1: Enable LDAP Authorization
+### Step 1: Enable LDAP authorization
 
 Add the `ldapgrouplistfilter` parameter to the HBA configuration that you enabled for [LDAP Authentication]({% link {{ page.version.version }}/ldap-authentication.md %}). The configuration will include two important LDAP filters:
 
@@ -91,10 +96,14 @@ CREATE ROLE crdb_developers;
 GRANT ALL ON DATABASE app TO crdb_developers;
 ~~~
 
+{{site.data.alerts.callout_info}}
+If you are going to use [automatic user provisioning]({% link {{ page.version.version }}/ldap-authentication.md %}#option-1-automatic-user-provisioning-recommended) in conjunction with LDAP authorization, be sure to complete the creation of group roles before enabling automatic user provisioning. Auto-provisioned users will only receive roles for groups that already exist as CockroachDB roles.
+{{site.data.alerts.end}}
+
 ### Step 3: Confirm configuration
 
 1. On the LDAP server, set up test users with memberships in groups that should be synced to CockroachDB users.
-1. When logged in as an admin to CockroachDB, create the matching test users:
+1. If [automatic user provisioning]({% link {{ page.version.version }}/ldap-authentication.md %}#option-1-automatic-user-provisioning-recommended) is not enabled, create the matching test users when logged in as an admin to CockroachDB:
 
     {% include_cached copy-clipboard.html %}
     ~~~ sql
@@ -103,13 +112,31 @@ GRANT ALL ON DATABASE app TO crdb_developers;
     CREATE ROLE username3 LOGIN;
     ~~~
 
-1. Log in to CockroachDB as each test user (refer to [Connect to a cluster using LDAP]({% link {{ page.version.version }}/ldap-authentication.md %})#connect-to-a-cluster-using-ldap).
-1. Using your admin credentials, log in to the CockroachDB SQL shell and run `SHOW ROLES;` to view and verify users and their role assignments.
+    If automatic user provisioning is enabled, users will be created automatically during their first login.
+
+1. Log in to CockroachDB as each test user (refer to [Connect to a cluster using LDAP]({% link {{ page.version.version }}/ldap-authentication.md %}#connect-to-a-cluster-using-ldap)).
+1. Using your `admin` credentials, log in to the CockroachDB SQL shell and run `SHOW USERS;` to view and verify users and their role assignments.
+
+    For auto-provisioned users, you can identify them by their `PROVISIONSRC` role option:
+
+    {% include_cached copy-clipboard.html %}
+    ~~~ sql
+    -- View all users and their role assignments
+    SHOW USERS;
+    
+    -- Filter for auto-provisioned users
+    SELECT * FROM [SHOW USERS] AS u 
+    WHERE EXISTS (
+        SELECT 1 FROM unnest(u.options) AS opt 
+        WHERE opt LIKE 'PROVISIONSRC=ldap:%'
+    );
+    ~~~
 
 ## Troubleshooting
 
 Enable [`SESSION` logging]({% link {{ page.version.version }}/logging.md %}#sessions) to preserve data that will help troubleshoot LDAP issues:
 
+{% include_cached copy-clipboard.html %}
 ~~~ sql
 SET CLUSTER SETTING server.auth_log.sql_sessions.enabled = true;
 ~~~
@@ -131,7 +158,7 @@ Potential issues to investigate may pertain to:
 ## Security Considerations
 
 1. Always keep a backup authentication method (like password) for administrative users.
-2. Use LDAPS (LDAP over TLS) in production environments.
-3. Use a restricted service account for directory searches.
-4. Regularly audit LDAP group memberships.
-5. Monitor authentication logs for unusual patterns.
+1. Use LDAPS (LDAP over TLS) in production environments.
+1. Use a restricted service account for directory searches.
+1. Regularly audit LDAP group memberships.
+1. Monitor authentication logs for unusual patterns.
diff --git a/src/current/v25.3/set-vars.md b/src/current/v25.3/set-vars.md
index ca6c6c3d76f..baa2d7fe031 100644
--- a/src/current/v25.3/set-vars.md
+++ b/src/current/v25.3/set-vars.md
@@ -312,11 +312,11 @@ SHOW ROLES;
 ~~~
 
 ~~~
-  username | options | member_of
------------+---------+------------
-  admin    |         | {}
-  new_role | NOLOGIN | {}
-  root     |         | {admin}
+  username | options   | member_of | estimated_last_login_time
+-----------+-----------+-----------+------------------------------
+  admin    | {}        | {}        | NULL
+  new_role | {NOLOGIN} | {}        | NULL
+  root     | {}        | {admin}   | NULL
 (3 rows)
 ~~~
 
diff --git a/src/current/v25.3/show-roles.md b/src/current/v25.3/show-roles.md
index a78a01b5ec0..ee275ed8928 100644
--- a/src/current/v25.3/show-roles.md
+++ b/src/current/v25.3/show-roles.md
@@ -29,12 +29,12 @@ The role must have the [`SELECT`]({% link {{ page.version.version }}/select-clau
 ~~~
 
 ~~~
-  username |  options   | member_of
------------+------------+------------
-  admin    | CREATEROLE | {}
-  carl     | NOLOGIN    | {}
-  petee    |            | {}
-  root     | CREATEROLE | {admin}
+  username |    options     | member_of | estimated_last_login_time
+-----------+----------------+-----------+------------------------------
+  admin    | {CREATEROLE}   | {}        | NULL
+  carl     | {NOLOGIN}      | {}        | NULL
+  petee    | {}             | {}        | 2025-08-04 19:18:00.201402+00
+  root     | {CREATEROLE}   | {admin}   | NULL
 (4 rows)
 ~~~
 
diff --git a/src/current/v25.3/show-users.md b/src/current/v25.3/show-users.md
index 93ca64affa0..45ddd70cceb 100644
--- a/src/current/v25.3/show-users.md
+++ b/src/current/v25.3/show-users.md
@@ -29,12 +29,12 @@ The user must have the [`SELECT`]({% link {{ page.version.version }}/select-clau
 ~~~
 
 ~~~
-  username |  options   | member_of
------------+------------+------------
-  admin    | CREATEROLE | {}
-  carl     | NOLOGIN    | {}
-  petee    |            | {}
-  root     | CREATEROLE | {admin}
+  username |    options     | member_of | estimated_last_login_time
+-----------+----------------+-----------+------------------------------
+  admin    | {CREATEROLE}   | {}        | NULL
+  carl     | {NOLOGIN}      | {}        | NULL
+  petee    | {}             | {}        | 2025-08-04 19:18:00.201402+00
+  root     | {CREATEROLE}   | {admin}   | NULL
 (4 rows)
 ~~~
 
@@ -46,12 +46,12 @@ Alternatively, within the built-in SQL shell, you can use the `\du` [shell comma
 ~~~
 
 ~~~
-  username |  options   | member_of
------------+------------+------------
-  admin    | CREATEROLE | {}
-  carl     | NOLOGIN    | {}
-  petee    |            | {}
-  root     | CREATEROLE | {admin}
+  username |    options     | member_of | estimated_last_login_time
+-----------+----------------+-----------+------------------------------
+  admin    | {CREATEROLE}   | {}        | NULL
+  carl     | {NOLOGIN}      | {}        | NULL
+  petee    | {}             | {}        | 2025-08-04 19:18:00.201402+00
+  root     | {CREATEROLE}   | {admin}   | NULL
 (4 rows)
 ~~~