ldap_user_lookup_query for MariaDB Xpand

Overview

In 23.09:

Regex for transforming a username of the form 'username@hostname' into an RFC 4516-formatted LDAP query URL that obtains an LDAP user DN. Used when ldap_user_lookup = query.

In 6.1, 6.0, 5.3:

Not present

See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3

USAGE

The ldap_user_lookup_query system variable can be set by executing SET GLOBAL:

SET GLOBAL ldap_user_lookup_query = '<regex>';

Using SET GLOBAL to set the value of a global variable in Xpand causes a change that will persist on restart.

DETAILS

The ldap_user_lookup_query system variable sets the regex for transforming a username of the form username@hostname into an RFC 4516-formatted LDAP query URL that obtains an LDAP user DN. Used when ldap_user_lookup = query.

Standard regex capture groups can be specified in the match pattern with parentheses.

The replacement pattern of the regex can specify backreferences to capture groups from the match pattern in the form of \N, where N is a number from 1 to 9

Given the nature of writing backslashes in SQL string literals, the backslash needs to be escaped with another backslash, so a backreference of \1 should be typed as \\1 in the string literal.

If the connecting client's username@hostname does not match the match pattern, the connection is denied.

The final query string should adhere to the following grammar (as specified by RFC 4516):

dn [? [<attributes>] [? [<scope>] [? [<filter>] [? <extensions>]]]]

Parameter

Description

dn

Specifies the DN position in the LDAP directory to root the search from.

attributes

A comma-separated list of attributes to return from found LDAP entries.
If omitted, then dn is assumed as default.

scope

The search scope to use. For example, base, sub, one, etc.
If omitted, then base is assumed as default.

filter

The search filter expression.
If you want to search multiple attributes, be sure to use LDAP's logical operators to join multiple filter terms together, for example:
  • (&(cn=foo)(sn=bar))

  • (|(cn=foo)(cn=baz))

  • (&(|(cn=foo)(cn=baz))(sn=bar))

extensions

Any LDAP search extensions allowable by the LDAP server.

SYNONYMS

SCHEMA

PARAMETERS

SKYSQL

PRIVILEGES

EXAMPLES

As with ldap_user_lookup_substitution, the regex matches on a connecting client's username@hostname. However, instead of directly deriving an LDAP user DN, this regex derives an RFC 4516-formatted LDAP query URL, which, when run on the LDAP server, should return the corresponding LDAP user DN.

Transform username@hostname into the LDAP query

This example will transform a connecting user alice@devs.example.com into the LDAP query ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=alice)). This query searches the LDAP directory at root of ou=devs,dc=example,dc=com, returning the dn attribute value of an entry found at a scope of one deep from the search root, with a filter for entries that have an objectClass of person and a cn attribute with value of alice:

SET GLOBAL ldap_user_lookup_query = '/^(.+)@.+$/ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=\\1))/';

This example will transform a connecting user alice@devs.example.com into the LDAP query URL of dc=example,dc=com?dn?sub?(&(objectClass=person)(cn=alice)). Unlike the previous example, this query searches a greater portion of the LDAP directory rooted at dc=example,dc=com, returning the dn attribute value of an entry found at any sub (subtree) scope below the search root, with the same filter for entries that have an objectClass of person and a cn attribute with value of alice:

SET GLOBAL ldap_user_lookup_query = '/^(.+)@.+$/dc=example,dc=com?dn?sub?(&(objectClass=person)(cn=\\1))/';

Filter User by Hostname

This example demonstrates filtering users by their origin hostname. As in the previous example, this will transform a connecting client alice@devs.example.com into the LDAP query URL of ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=alice)), since the hostname matches. However, a connecting user bob@otherplace.com will fail to match the hostname portion of the regex, and will be rejected early in the login attempt:

SET GLOBAL ldap_user_lookup_query = '/^(.+)@devs.example.com$/ou=devs,dc=example,dc=com?dn?one?(&(objectClass=person)(cn=\\1))/';

ERROR HANDLING

FEATURE INTERACTION

RESPONSES

DIAGNOSIS

ISO 9075:2016

CHANGE HISTORY

Release Series

History

23.09

  • Added in MariaDB Xpand 23.09.1.

6.1

  • Not present.

6.0

  • Not present.

5.3

  • Not present.

EXTERNAL REFERENCES