This feature is in and subject to change. To share feedback and/or issues, contact Support.
- When a client connects to the cluster using LDAP, the cluster looks up the user’s group membership in the LDAP service.
- Each LDAP group is mapped to a cluster role using the group’s Common Name (CN) in the LDAP service.
- The user is granted each corresponding role, and roles that no longer match the user’s groups are revoked.
Prerequisites
- Enable .
Configuration
Before you begin, it may be useful to enable authentication logging, which can help you confirm sucessful configuration or troubleshoot issues. For details, refer to Troubleshooting.Step 1: Enable LDAP Authorization
Add theldapgrouplistfilter parameter to the HBA configuration that you enabled for . The configuration will include two important LDAP filters:
ldapsearchfilter: Determines which users can authenticateldapgrouplistfilter: Defines which groups should be considered for authorization
Search filter examples
To restrict authentication to members of specific groups:Group List filter examples
Theldapgrouplistfilter configuration varies by LDAP server type:
We recommend that you explicitly specify which groups should be mapped to CockroachDB roles rather than using broader filters. This ensures that only intended groups are granted database access.
Step 2: Create matching roles
Create CockroachDB roles that match your LDAP group names and grant appropriate privileges to each role. Remember that role names must comply with CockroachDB’s . For example, if you’ve configured the group filter to allowcrdb_analysts and crdb_developers:
Step 3: Confirm configuration
- On the LDAP server, set up test users with memberships in groups that should be synced to CockroachDB users.
-
When logged in as an admin to CockroachDB, create the matching test users (note the omission of a password; this will be validated against the user’s LDAP password):
- Log in to CockroachDB as each test user (refer to #connect-to-a-cluster-using-ldap).
-
Using your admin credentials, log in to the CockroachDB SQL shell and run
SHOW ROLES;to view and verify users and their role assignments.
Troubleshooting
Enable to preserve data that will help troubleshoot LDAP issues:Once all functionality is configured and tested successfully, we recommend disabling session logging to conserve system resources.
cockroach-session.log from your .
Potential issues to investigate may pertain to:
- Network connectivity to the LDAP server.
- Incorrect bind DN or password.
- Search filter not matching the intended users.
- TLS certificates.
- Missing or mismatched role names.
Security Considerations
- Always keep a backup authentication method (like password) for administrative users.
- Use LDAPS (LDAP over TLS) in production environments.
- Use a restricted service account for directory searches.
- Regularly audit LDAP group memberships.
- Monitor authentication logs for unusual patterns.

