ldap_group_query for MariaDB Xpand

Overview

In 23.09:

Template string that specifies an RFC 4516-formatted LDAP query URL for obtaining the LDAP groups a user belongs to.

In 6.1, 6.0, 5.3:

Not present

See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3

USAGE

The ldap_group_query system variable can be set by executing SET GLOBAL:

SET GLOBAL ldap_group_query = '<template_string>';

Using SET GLOBAL to set the value of a global variable in Xpand causes a change that will persist on restart.

DETAILS

The ldap_group_query system variable sets the template string that specifies an RFC 4516-formatted LDAP query URL for obtaining the LDAP groups a user belongs to. {CLIENTUSER} is replaced with the connecting client's username, {CLIENTHOST} is replaced with the connecting client's hostname, and {USERDN} is replaced with the LDAP user DN.

The token {USERDN} is replaced with the LDAP user DN derived by either ldap_user_lookup_substitution or ldap_user_lookup_query

This global variable only takes a template string for deriving an LDAP query URL. It is not a regex.

The query can specify a maximum of 1 attribute to retrieve from the queried LDAP entries, e.g., dn, memberOf, etc. If no attribute is specified, the dn attribute value of each returned LDAP entry is used by default.

The final query string should adhere to the following grammar (as specified by RFC 4516):

dn [? [<attributes>] [? [<scope>] [? [<filter>] [? <extensions>]]]]

Parameter

Description

dn

Specifies the DN position in the LDAP directory to root the search from.

attributes

A comma-separated list of attributes to return from found LDAP entries.
If omitted, then dn is assumed as default.

scope

The search scope to use. For example, base, sub, one, etc.
If omitted, then base is assumed as default.

filter

The search filter expression.
If you want to search multiple attributes, be sure to use LDAP's logical operators to join multiple filter terms together, for example:
  • (&(cn=foo)(sn=bar))

  • (|(cn=foo)(cn=baz))

  • (&(|(cn=foo)(cn=baz))(sn=bar))

extensions

Any LDAP search extensions allowable by the LDAP server.

SYNONYMS

SCHEMA

PARAMETERS

SKYSQL

PRIVILEGES

EXAMPLES

Find Groups Attached to a User

For an LDAP user DN of cn=alice,ou=devs,dc=example,dc=com, this example will derive an LDAP query URL of cn=alice,ou=devs,dc=example,dc=com?memberOf?base, which, when run on the LDAP server, should return a list of corresponding LDAP group DNs.

This query will search in the exact LDAP entry cn=alice,ou=devs,dc=example,dc=com for values under the attribute memberOf, where each memberOf attribute value should be an LDAP group DN.

The scope of base means that only the search root entry cn=alice,ou=devs,dc=example,dc=com is searched, and not any of its potential descendants in the directory:

SET GLOBAL ldap_group_query = '{USERDN}?memberOf?base';

For an LDAP user DN of cn=alice,ou=devs,dc=example,dc=com, this example will derive an LDAP query URL of ou=groups,dc=example,dc=com?dn?one?(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=alice,ou=devs,dc=example,dc=com)).

Find Groups That List Members by User DN

As opposed to the first example, which finds LDAP group DNs attached to a user's entry, this query finds LDAP group DN entries that list their members by LDAP user DN. This query will search the LDAP directory rooted at ou=groups,dc=example,dc=com for the dn attribute value of entries found at a scope of one deep from the search root, with a filter on entries with an objectClass of groupOfUniqueNames and a uniqueMember attribute value matching cn=alice,ou=devs,dc=example,dc=com:

For an LDAP user DN of cn=alice,ou=devs,dc=example,dc=com, this example will derive an LDAP query URL of ou=groups,dc=example,dc=com?dn?one?(&(objectClass=groupOfUniqueNames)(uniqueMember=cn=alice,ou=devs,dc=example,dc=com)).

SET GLOBAL ldap_group_query = 'ou=groups,dc=example,dc=com?dn?one?(&(objectClass=groupOfUniqueNames)(uniqueMember={USERDN}))';

ERROR HANDLING

FEATURE INTERACTION

RESPONSES

DIAGNOSIS

ISO 9075:2016

CHANGE HISTORY

Release Series

History

23.09

  • Added in MariaDB Xpand 23.09.1.

6.1

  • Not present.

6.0

  • Not present.

5.3

  • Not present.

EXTERNAL REFERENCES