Overview
LDAP authentication in CockroachDB works with LDAP-compatible directory services, including Microsoft Entra ID, Active Directory, and OpenLDAP. Secure LDAPS connectivity over TLS is required. While LDAP configuration is cluster-specific, each request to authenticate a user in CockroachDB is handled by the node that receives it. When LDAP is enabled, the node handles each authentication request using a “search and bind” approach:- Find the user record
- The node connects to the LDAP server using a dedicated directory access account.
- The node searches the directory for a record that matches the authenticating user, using configurable search criteria.
- Authenticate the user
- If a matching record was found, the cluster attempts to verify the user’s identity through another LDAP request, this time using the credentials (username and password) provided by that user.
- If this LDAP bind operation succeeds, the user is authenticated to the CockroachDB cluster.
- Authorize the user (optional)
- If is also enabled, an additional request is sent to retrieve the groups to which the user is assigned, using configurable criteria.
- If group memberships are found, any existing CockroachDB roles that match these group names are assigned to the user.
n nodes, you can expect up to n concurrent LDAP connections.
LDAP authentication cannot be used for the
root user or other . Credentials for root must be managed separately using password authentication to ensure continuous administrative access regardless of LDAP availability.Configuration
Prerequisites
- An LDAP-compatible directory service, such as Microsoft Entra ID or Active Directory.
- Network connectivity on port 636 for LDAPS.
- A service account (bind DN) with permissions to search the directory for basic information about users and groups. For example, in Microsoft Entra ID, a service principal with the Directory Readers role.
- The LDAP server’s CA certificate, if using a custom CA not already trusted by the CockroachDB host.
- Verification that the attribute values that will become CockroachDB usernames meet the CockroachDB .
Step 1: Enable redaction of sensitive cluster settings
For this integration, you will need to store LDAP bind credentials for the service account that enables the integration in the . You will also configure the mapping of external identities to CockroachDB SQL users with the . In addition, for a custom CA configuration, you may need to store certificate and key details in the cluster settings specified in the optional Step 3: Configure TLS. It is highly recommended that you redact these settings, so that only authorized users, such as members of theadmin role, can view them. To enable this redaction and learn about its permission scheme, refer to .
Step 2: Configure Host-Based Authentication (HBA)
To enable LDAP, you will need to update the configuration specified in the . Set the authentication method for all users and databases toldap and include the LDAP-specific option parameters:
ldapserver: LDAP server hostnameldapport: LDAP server port (typically 636 for LDAPS)ldapbasedn: Base DN for user searchesldapbinddn: Service account DN for directory searchesldapbindpasswd: Service account passwordldapsearchattribute: Attribute to match against SQL usernamesldapsearchfilter: LDAP filter to restrict valid users
ldapgrouplistfilter. For details, refer to .
Step 3: Configure TLS (Optional)
If, for LDAPS, you are using a certificate signed by a custom Certificate Authority (CA) that is not in the system’s trusted CA store, you will need to configure the CA certificate. This step is only necessary when using certificates signed by your organization’s private CA or other untrusted CA. Set the custom CA certificate:Step 4: Configure user creation
CockroachDB supports two approaches for the creation of users who will authenticate via LDAP:Option 1: Automatic user provisioning (recommended)
With automatic user provisioning, CockroachDB creates users automatically during their first successful LDAP authentication. This eliminates the need for custom scripting to create user accounts. When enabled:- Users are created automatically upon successful LDAP authentication.
- All auto-provisioned users receive a
PROVISIONSRCrole option set toldap:{ldap_server}. - The
estimated_last_login_timeis tracked for auditing purposes. - Auto-provisioned users cannot change their own passwords (managed via LDAP only).
sAMAccountName field from the user object. Specify this field name with ldapsearchattribute=sAMAccountName in the HBA configuration. Ensure that the values in the field you are using for ldapsearchattribute meet the CockroachDB .
Before you enable automatic user provisioning, it is recommended that you enable . This ensures that upon initial login, new CockroachDB users are members of the intended CockroachDB roles, with the privileges they confer, according to users’ group memberships in the directory. Otherwise, functionality may be limited for a new user until your alternative process applies roles or privileges.If you choose to manage CockroachDB role memberships and privileges directly, you could script the required commands to be as needed.
Option 2: Manual/scripted user creation
Alternatively, you can manage users by directly creating them before LDAP authentication is used. This approach provides explicit control over user creation. To create a single user:- Export usernames from the directory server.
-
Produce a
.sqlfile with a statement per user, each on a separate line.If you are not also enabling LDAP Authorization to manage roles and privileges, you can also include one or moreGRANTlines for each user. For example,GRANT developer TO username1orGRANT SELECT ON DATABASE orders TO username2;. -
Run the SQL statements in the :
Connect to a cluster using LDAP
SQL shell connection with LDAP authentication
To connect using LDAP credentials, use your LDAP password:DB Console connection with LDAP authentication
If LDAP authentication is configured, DB Console access will also use this configuration, allowing users to log in with their SQL username and LDAP password. During a login attempt, the system checks if LDAP authentication is configured for the user in the HBA configuration. If so, it validates the credentials against the LDAP server. If automatic user provisioning is enabled, users will be created automatically during their first successful login. If LDAP authentication fails or is not configured, the system falls back to password authentication.Authorization (role-based access control) is not applied when logging in to DB Console.
Managing auto-provisioned users
When automatic user provisioning is enabled, you can identify and manage auto-provisioned users using the following methods:Viewing provisioned users
Auto-provisioned users can be identified by theirPROVISIONSRC role option:
Last-login tracking for usage and dormancy
Theestimated_last_login_time column in the output of SHOW USERS tracks when users last authenticated. For example:
estimated_last_login_time is computed on a best-effort basis and may not capture every login event due to asynchronous updates.Cleaning up users removed from Active Directory
Auto-provisioned users who have been removed or deactivated in Active Directory will not be automatically removed from CockroachDB. To identify and clean up these orphaned accounts: Step 1: Export auto-provisioned users from CockroachDBUsers cannot be dropped if they have direct privilege grants or own database objects. For complete requirements, refer to . When using both automatic user provisioning and LDAP Authorization, consider granting privileges primarily through roles (mapped to AD groups) rather than directly to users to simplify cleanup operations.
Restrictions on auto-provisioned users
Users created through automatic provisioning have specific restrictions:- Password changes: Auto-provisioned users cannot change their own passwords using
ALTER USER, even if the cluster settingsql.auth.change_own_password.enabledis true. - PROVISIONSRC modification: The
PROVISIONSRCrole option cannot be modified or removed once set. - Authentication method: These users must authenticate through LDAP; password-based authentication is not available.
Troubleshooting
Enable to preserve data that will help troubleshoot LDAP issues.Once all functionality is configured and tested successfully, we recommend disabling session logging to conserve system resources.
cockroach-session.log from your .
Potential issues to investigate may pertain to:
- Network connectivity to the LDAP server.
- Incorrect bind DN or password.
- Search filter not matching the intended users.
- TLS certificates.
- Missing or mismatched role names.
Security Considerations
- Always keep a backup authentication method (like password) for administrative users.
- Use LDAPS (LDAP over TLS) in production environments.
- Use a restricted service account for directory searches.
- Regularly audit LDAP group memberships.
- Monitor authentication logs for unusual patterns.
- Auto-provisioning considerations:
- When enabling automatic user provisioning, ensure your LDAP search filters are restrictive to prevent unauthorized user creation.
- Regularly review auto-provisioned users using the
SHOW USERScommand to identify accounts that may need deprovisioning. - If using LDAP Authorization, ensure all group roles are created before enabling auto-provisioning to maintain proper access control.
- The
estimated_last_login_timecan help identify dormant accounts that may need manual removal.

