LDAP user and group synchronization#

You can configure SEP to synchronize users and groups from an LDAP directory.

Starburst recommends LDAP provisioning instead of LDAP group mapping for synchronizing group membership.

Note

To synchronize identities using the SCIM protocol instead, see SCIM user and group synchronization.

Configuration#

To configure LDAP user and group synchronization, complete the following steps:

Configure an internal group provider in SEP
Enable LDAP user provisioning
Configure LDAP user provisioning properties

Configure an internal group provider#

SEP requires a group provider configuration to handle imported users and groups internally. Create an etc/group-provider.properties configuration file on the coordinator with the following contents:

group-provider.name=starburst

The SEP group provider includes an optional cache for user and group lookups, which is enabled by default. Disable the cache with the following property:

starburst-group-provider.cache.enabled=false

When you enable caching, the following optional properties are also available:

starburst-group-provider.cache.ttl=10s
starburst-group-provider.cache.maximum-size=1024

Enable LDAP user provisioning#

To enable LDAP user provisioning, add the following property to your coordinator’s config.properties file:

starburst.users.provisioning.type=LDAP

Configure LDAP user provisioning properties#

Set all LDAP user provisioning configuration properties in your config.properties file.

Configure the LDAP client connection using the same properties as the Trino LDAP password authenticator, but with the ldap-user-provisioning. prefix.

The following configuration properties are available:

LDAP user provisioning properties#
Property	Description	Required	Notes
`ldap-user-provisioning.user-search-base`	The base distinguished name (DN) for user searches	Yes
`ldap-user-provisioning.user-search-filter`	The LDAP search filter for locating user entries	Yes	For example, `(objectClass=user)` for Active Directory or `(objectClass=inetOrgPerson)` for OpenLDAP
`ldap-user-provisioning.user-name-attribute`	The LDAP attribute that contains the username	Yes	For example, `sAMAccountName` for Active Directory or `uid` for OpenLDAP
`ldap-user-provisioning.user-unique-attribute`	The LDAP attribute that contains a unique identifier for each user	No	For example, `objectGUID` for Active Directory or `entryUUID` for OpenLDAP
`ldap-user-provisioning.group-search-base`	The base distinguished name (DN) for group searches	Yes
`ldap-user-provisioning.group-search-filter`	The LDAP search filter for locating group entries	Yes	For example, `(objectClass=group)` for Active Directory or `(objectClass=groupOfEntries)` for OpenLDAP
`ldap-user-provisioning.group-name-attribute`	The LDAP attribute that contains the group name	Yes	For example, `sAMAccountName` for Active Directory or `cn` for OpenLDAP
`ldap-user-provisioning.group-unique-attribute`	The LDAP attribute that contains a unique identifier for each group	No	For example, `objectGUID` for Active Directory or `entryUUID` for OpenLDAP
`ldap-user-provisioning.group-membership-attribute`	The LDAP attribute on a group entry that lists its members	Yes	For example, `member` for Active Directory or OpenLDAP
`ldap-user-provisioning.sync-interval`	The frequency of synchronization. Defaults to `2h`	No

Examples#

The following examples show complete config.properties configurations for LDAP user provisioning.

Secure LDAP connection (LDAPS)#

The following example configures LDAP user provisioning over a secure TLS connection:

starburst.users.provisioning.type=LDAP
ldap-user-provisioning.ldap.url=ldaps://ldapserver:636
ldap-user-provisioning.ldap.ssl.keystore.path=/etc/openldap/certs/trino-coordinator-for-ldap.pem
ldap-user-provisioning.ldap.ssl.truststore.path=/etc/openldap/certs/openldap-certificate.pem
ldap-user-provisioning.ldap.bind-user=cn=admin,dc=trino,dc=testldap,dc=com
ldap-user-provisioning.ldap.bind-password=admin
ldap-user-provisioning.user-search-base=dc=trino,dc=testldap,dc=com
ldap-user-provisioning.user-search-filter=(objectClass=inetOrgPerson)
ldap-user-provisioning.user-name-attribute=cn
ldap-user-provisioning.group-search-base=dc=trino,dc=testldap,dc=com
ldap-user-provisioning.group-search-filter=(objectClass=groupOfNames)
ldap-user-provisioning.group-name-attribute=cn
ldap-user-provisioning.group-membership-attribute=member

Insecure LDAP connection#

The following example configures LDAP user provisioning over an insecure connection. Only use this configuration for testing or development environments:

starburst.users.provisioning.type=LDAP
ldap-user-provisioning.ldap.allow-insecure=true
ldap-user-provisioning.ldap.url=ldap://ldapserver:389
ldap-user-provisioning.ldap.bind-user=cn=admin,dc=trino,dc=testldap,dc=com
ldap-user-provisioning.ldap.bind-password=admin
ldap-user-provisioning.user-search-base=dc=trino,dc=testldap,dc=com
ldap-user-provisioning.user-search-filter=(objectClass=inetOrgPerson)
ldap-user-provisioning.user-name-attribute=cn
ldap-user-provisioning.group-search-base=dc=trino,dc=testldap,dc=com
ldap-user-provisioning.group-search-filter=(objectClass=groupOfNames)
ldap-user-provisioning.group-name-attribute=cn
ldap-user-provisioning.group-membership-attribute=member
ldap-user-provisioning.sync-interval=30m