ldap_user_lookup_substitution for MariaDB Xpand

Overview

In 23.09:

Regex for transforming a username of the form 'username@hostname' into an LDAP user DN. Used when ldap_user_lookup = substitution.

In 6.1, 6.0, 5.3:

Not present

See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3

USAGE

The ldap_user_lookup_substitution system variable can be set by executing SET GLOBAL:

SET GLOBAL ldap_user_lookup_substitution = '<regex>';

Using SET GLOBAL to set the value of a global variable in Xpand causes a change that will persist on restart.

DETAILS

The ldap_user_lookup_substitution system variable sets the regex for transforming a username of the form 'username@hostname' into an LDAP user DN. Used when ldap_user_lookup = substitution.

Standard regex capture groups can be specified in the match pattern with parentheses.

The replacement pattern of the regex can specify backreferences to capture groups from the match pattern in the form of \N, where N is a number from 1 to 9

Given the nature of writing backslashes in SQL string literals, the backslash needs to be escaped with another backslash, so a backreference of \1 should be typed as \\1 in the string literal.

If the connecting client's username@hostname does not match the match pattern, the connection is denied.

SYNONYMS

SCHEMA

PARAMETERS

SKYSQL

PRIVILEGES

EXAMPLES

Let's specify a regex transformation for how to derive the user's LDAP user DN from the connecting client's username@hostname. This example will transform a connecting client alice@devs.example.com into a corresponding LDAP user DN of cn=alice,ou=devs,dc=example,dc=com:

SET GLOBAL ldap_user_lookup_substitution = '/^(.+)@.+$/cn=\\1,ou=devs,dc=example,dc=com/';

This example demonstrates filtering users by their origin hostname. As in the previous example, this will transform a connecting client alice@devs.example.com into the LDAP user DN of cn=alice,ou=devs,dc=example,dc=com, since the hostname matches. However, a connecting user bob@otherplace.com will fail to match the hostname portion of the regex, and will be rejected early in the login attempt:

SET GLOBAL ldap_user_lookup_substitution = '/^(.+)@devs.example.com$/cn=\\1,ou=devs,dc=example,dc=com/';

ERROR HANDLING

FEATURE INTERACTION

RESPONSES

DIAGNOSIS

ISO 9075:2016

CHANGE HISTORY

Release Series

History

23.09

  • Added in MariaDB Xpand 23.09.1.

6.1

  • Not present.

6.0

  • Not present.

5.3

  • Not present.

EXTERNAL REFERENCES