Skip to content

Commit

Permalink
feat: Update cluster setting to latest version
Browse files Browse the repository at this point in the history
  • Loading branch information
codingconcepts committed Nov 26, 2024
1 parent f97bba8 commit 4b63036
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/current/v24.3/ldap-authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ Set the custom CA certificate:

{% include_cached copy-clipboard.html %}
~~~ sql
SET CLUSTER SETTING server.ldap_authentication.domain_ca = '<PEM_ENCODED_CA_CERT>';
SET CLUSTER SETTING server.ldap_authentication.domain.custom_ca = '<PEM_ENCODED_CA_CERT>';
~~~

Configure a client certificate for mTLS if required:
Expand Down
7 changes: 5 additions & 2 deletions src/current/v24.3/ldap-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,11 @@ The `ldapgrouplistfilter` configuration varies by LDAP server type:
-- For Azure Active Directory:
"ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com)"

-- For OpenLDAP:
-- For OpenLDAP (using groupOfNames):
"ldapgrouplistfilter=(objectClass=groupOfNames)"

-- For OpenLDAP (using groupOfUniqueNames):
"ldapgrouplistfilter=(objectClass=groupOfUniqueNames)"
~~~

For enhanced security, restrict the groups that can be mapped to CockroachDB roles:
Expand Down Expand Up @@ -94,7 +97,7 @@ GRANT ALL ON DATABASE app TO crdb_developers;
### Step 3: Confirm configuration

1. On the LDAP server, set up test users with memberships in groups that should be synced to CockroachDB users.
1. When logged in as an admin to CockroachDB, create the matching test users:
1. When logged in as an admin to CockroachDB, create the matching test users (note the omission of a password; this will be validated against the user's LDAP password):

{% include_cached copy-clipboard.html %}
~~~ sql
Expand Down

0 comments on commit 4b63036

Please sign in to comment.