cockroachdb · codingconcepts · Nov 26, 2024
diff --git a/src/current/v24.3/ldap-authentication.md b/src/current/v24.3/ldap-authentication.md
@@ -88,7 +88,7 @@ Set the custom CA certificate:
 
 {% include_cached copy-clipboard.html %}
 ~~~ sql
-SET CLUSTER SETTING server.ldap_authentication.domain_ca = '<PEM_ENCODED_CA_CERT>';
+SET CLUSTER SETTING server.ldap_authentication.domain.custom_ca = '<PEM_ENCODED_CA_CERT>';
 ~~~
 
 Configure a client certificate for mTLS if required:

diff --git a/src/current/v24.3/ldap-authorization.md b/src/current/v24.3/ldap-authorization.md
@@ -60,8 +60,11 @@ The `ldapgrouplistfilter` configuration varies by LDAP server type:
 -- For Azure Active Directory:
 "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com)"
 
--- For OpenLDAP:
+-- For OpenLDAP (using groupOfNames):
 "ldapgrouplistfilter=(objectClass=groupOfNames)"
+
+-- For OpenLDAP (using groupOfUniqueNames):
+"ldapgrouplistfilter=(objectClass=groupOfUniqueNames)"
 ~~~
 
 For enhanced security, restrict the groups that can be mapped to CockroachDB roles:
@@ -94,7 +97,7 @@ GRANT ALL ON DATABASE app TO crdb_developers;
 ### Step 3: Confirm configuration
 
 1. On the LDAP server, set up test users with memberships in groups that should be synced to CockroachDB users.
-1. When logged in as an admin to CockroachDB, create the matching test users:
+1. When logged in as an admin to CockroachDB, create the matching test users (note the omission of a password; this will be validated against the user's LDAP password):
 
     {% include_cached copy-clipboard.html %}
     ~~~ sql