ldap_user_lookup_substitution for MariaDB Xpand
This page is part of MariaDB's Documentation.
The parent of this page is: System Variables for MariaDB Xpand
Topics on this page:
Overview
In 23.09:
Regex for transforming a username of the form 'username@hostname' into an LDAP user DN. Used when ldap_
user_ lookup = substitution. In 6.1, 6.0, 5.3:
Not present
See also: System Variables for MariaDB Xpand 23.09, in 6.1, in 6.0, and in 5.3
USAGE
The ldap_user_lookup_substitution
system variable can be set by executing SET GLOBAL
:
SET GLOBAL ldap_user_lookup_substitution = '<regex>';
Using SET GLOBAL
to set the value of a global variable in Xpand causes a change that will persist on restart.
DETAILS
The ldap_user_lookup_substitution
system variable sets the regex for transforming a username of the form 'username@hostname'
into an LDAP user DN. Used when ldap_user_lookup = substitution
.
Standard regex capture groups can be specified in the match pattern with parentheses.
The replacement pattern of the regex can specify backreferences to capture groups from the match pattern in the form of \N
, where N
is a number from 1
to 9
Given the nature of writing backslashes in SQL string literals, the backslash needs to be escaped with another backslash, so a backreference of \1
should be typed as \\1
in the string literal.
If the connecting client's username@hostname
does not match the match pattern, the connection is denied.
SYNONYMS
SCHEMA
PARAMETERS
SKYSQL
PRIVILEGES
EXAMPLES
Let's specify a regex transformation for how to derive the user's LDAP user DN from the connecting client's username@hostname
. This example will transform a connecting client alice@devs.example.com
into a corresponding LDAP user DN of cn=alice,ou=devs,dc=example,dc=com
:
SET GLOBAL ldap_user_lookup_substitution = '/^(.+)@.+$/cn=\\1,ou=devs,dc=example,dc=com/';
This example demonstrates filtering users by their origin hostname. As in the previous example, this will transform a connecting client alice@devs.example.com
into the LDAP user DN of cn=alice,ou=devs,dc=example,dc=com
, since the hostname matches. However, a connecting user bob@otherplace.com
will fail to match the hostname portion of the regex, and will be rejected early in the login attempt:
SET GLOBAL ldap_user_lookup_substitution = '/^(.+)@devs.example.com$/cn=\\1,ou=devs,dc=example,dc=com/';
ERROR HANDLING
FEATURE INTERACTION
RESPONSES
DIAGNOSIS
ISO 9075:2016
CHANGE HISTORY
Release Series | History |
---|---|
23.09 |
|
6.1 |
|
6.0 |
|
5.3 |
|