ldap_user_lookup_query for MariaDB Xpand
This page is part of MariaDB's Documentation.
The parent of this page is: System Variables for MariaDB Xpand
Topics on this page:
Overview
In 23.09:
Regex for transforming a username of the form 'username@hostname' into an RFC 4516-formatted LDAP query URL that obtains an LDAP user DN. Used when ldap_
user_ lookup = query. In 6.1, 6.0, 5.3:
Not present
See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3
USAGE
The ldap_user_lookup_query
system variable can be set by executing SET GLOBAL
:
SET GLOBAL ldap_user_lookup_query = '<regex>';
Using SET GLOBAL
to set the value of a global variable in Xpand causes a change that will persist on restart.
DETAILS
The ldap_user_lookup_query
system variable sets the regex for transforming a username of the form username@hostname
into an RFC 4516-formatted LDAP query URL that obtains an LDAP user DN. Used when ldap_user_lookup = query
.
Standard regex capture groups can be specified in the match pattern with parentheses.
The replacement pattern of the regex can specify backreferences to capture groups from the match pattern in the form of \N
, where N
is a number from 1
to 9
Given the nature of writing backslashes in SQL string literals, the backslash needs to be escaped with another backslash, so a backreference of \1
should be typed as \\1
in the string literal.
If the connecting client's username@hostname
does not match the match pattern, the connection is denied.
The final query string should adhere to the following grammar (as specified by RFC 4516):
dn [? [<attributes>] [? [<scope>] [? [<filter>] [? <extensions>]]]]
Parameter | Description |
---|---|
| Specifies the DN position in the LDAP directory to root the search from. |
attributes | A comma-separated list of attributes to return from found LDAP entries.
If omitted, then
dn is assumed as default. |
| The search scope to use. For example,
base , sub , one , etc.If omitted, then
base is assumed as default. |
| The search filter expression.
If you want to search multiple attributes, be sure to use LDAP's logical operators to join multiple filter terms together, for example:
|
| Any LDAP search extensions allowable by the LDAP server. |
SYNONYMS
SCHEMA
PARAMETERS
SKYSQL
PRIVILEGES
EXAMPLES
As with ldap_user_lookup_substitution
, the regex matches on a connecting client's username@hostname
. However, instead of directly deriving an LDAP user DN, this regex derives an RFC 4516-formatted LDAP query URL, which, when run on the LDAP server, should return the corresponding LDAP user DN.
Transform username@hostname
into the LDAP query
This example will transform a connecting user alice@devs.example.com
into the LDAP query ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=alice))
. This query searches the LDAP directory at root of ou=devs,dc=example,dc=com
, returning the dn
attribute value of an entry found at a scope of one
deep from the search root, with a filter for entries that have an objectClass
of person and a cn
attribute with value of alice
:
SET GLOBAL ldap_user_lookup_query = '/^(.+)@.+$/ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=\\1))/';
This example will transform a connecting user alice@devs.example.com
into the LDAP query URL of dc=example,dc=com?dn?sub?(&(objectClass=person)(cn=alice))
. Unlike the previous example, this query searches a greater portion of the LDAP directory rooted at dc=example,dc=com
, returning the dn
attribute value of an entry found at any sub
(subtree) scope below the search root, with the same filter for entries that have an objectClass
of person
and a cn
attribute with value of alice
:
SET GLOBAL ldap_user_lookup_query = '/^(.+)@.+$/dc=example,dc=com?dn?sub?(&(objectClass=person)(cn=\\1))/';
Filter User by Hostname
This example demonstrates filtering users by their origin hostname. As in the previous example, this will transform a connecting client alice@devs.example.com
into the LDAP query URL of ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=alice))
, since the hostname matches. However, a connecting user bob@otherplace.com
will fail to match the hostname portion of the regex, and will be rejected early in the login attempt:
SET GLOBAL ldap_user_lookup_query = '/^(.+)@devs.example.com$/ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=\\1))/';
ERROR HANDLING
FEATURE INTERACTION
RESPONSES
DIAGNOSIS
ISO 9075:2016
CHANGE HISTORY
Release Series | History |
---|---|
23.09 |
|
6.1 |
|
6.0 |
|
5.3 |
|