This feature is in and subject to change. To share feedback and/or issues, contact Support.
- When a client connects to the cluster using LDAP, the cluster looks up the user’s group membership in the LDAP service.
- Each LDAP group is mapped to a cluster role using the group’s Common Name (CN) in the LDAP service.
- The user is granted each corresponding role, and roles that no longer match the user’s groups are revoked.
- In conjunction with if enabled, users are created automatically during their first authentication and simultaneously receive specified role memberships.
Prerequisites
- Enable .
Configuration
Before you begin, it may be useful to enable authentication logging, which can help you confirm sucessful configuration or troubleshoot issues. For details, refer to Troubleshooting.Step 1: Enable LDAP authorization
Add theldapgrouplistfilter parameter to the HBA configuration that you enabled for . The configuration will include two important LDAP filters:
ldapsearchfilter: Determines which users can authenticateldapgrouplistfilter: Defines which groups should be considered for authorization
Search filter examples
To restrict authentication to members of specific groups:Group List filter examples
Theldapgrouplistfilter configuration varies by LDAP server type:
We recommend that you explicitly specify which groups should be mapped to CockroachDB roles rather than using broader filters. This ensures that only intended groups are granted database access.
Step 2: Create matching roles
Create CockroachDB roles that match your LDAP group names and grant appropriate privileges to each role. Remember that role names must comply with CockroachDB’s . For example, if you’ve configured the group filter to allowcrdb_analysts and crdb_developers:
If you are going to use in conjunction with LDAP authorization, be sure to complete the creation of group roles before enabling automatic user provisioning. Auto-provisioned users will only receive roles for groups that already exist as CockroachDB roles.
Step 3: Confirm configuration
- On the LDAP server, set up test users with memberships in groups that should be synced to CockroachDB users.
-
If is not enabled, create the matching test users when logged in as an admin to CockroachDB:
If automatic user provisioning is enabled, users will be created automatically during their first login.
- Log in to CockroachDB as each test user (refer to ).
-
Using your
admincredentials, log in to the CockroachDB SQL shell and runSHOW USERS;to view and verify users and their role assignments. For auto-provisioned users, you can identify them by theirPROVISIONSRCrole option:
Troubleshooting
Enable to preserve data that will help troubleshoot LDAP issues:Once all functionality is configured and tested successfully, we recommend disabling session logging to conserve system resources.
cockroach-session.log from your .
Potential issues to investigate may pertain to:
- Network connectivity to the LDAP server.
- Incorrect bind DN or password.
- Search filter not matching the intended users.
- TLS certificates.
- Missing or mismatched role names.
Security Considerations
- Always keep a backup authentication method (like password) for administrative users.
- Use LDAPS (LDAP over TLS) in production environments.
- Use a restricted service account for directory searches.
- Regularly audit LDAP group memberships.
- Monitor authentication logs for unusual patterns.

