This page isn’t applicable to ClickHouse Cloud. The feature documented here isn’t available in ClickHouse Cloud services.
See the ClickHouse Cloud Compatibility guide for more information.
- Use LDAP as an external authenticator for existing users, which are defined in
users.xmlor in local access control paths. - Use LDAP as an external user directory and allow locally undefined users to be authenticated if they exist on the LDAP server.
LDAP server definition
To define LDAP server you must addldap_servers section to the config.xml.
Example
ldap_servers section using distinct names.
Parameters
user_dn_detection sub-parameters
Section with LDAP search parameters for detecting the actual user DN of the bound user. This is mainly used in search filters for further role mapping when the server is Active Directory. The resulting user DN will be used when replacing {user_dn} substrings wherever they are allowed. By default, user DN is set equal to bind DN, but once search is performed, it will be updated to the actual detected user DN value.
LDAP external authenticator
A remote LDAP server can be used as a method for verifying passwords for locally defined users (users defined inusers.xml or in local access control paths). To achieve this, specify previously defined LDAP server name instead of password or similar sections in the user definition.
At each login attempt, ClickHouse tries to “bind” to the specified DN defined by the bind_dn parameter in the LDAP server definition using the provided credentials, and if successful, the user is considered authenticated. This is often called a “simple bind” method.
Example
my_user refers to my_ldap_server. This LDAP server must be configured in the main config.xml file as described previously.
When SQL-driven Access Control and Account Management is enabled, users that are authenticated by LDAP servers can also be created using the CREATE USER statement.
Query
LDAP external user directory
In addition to the locally defined users, a remote LDAP server can be used as a source of user definitions. To achieve this, specify previously defined LDAP server name (see LDAP Server Definition) in theldap section inside the users_directories section of the config.xml file.
At each login attempt, ClickHouse tries to find the user definition locally and authenticate it as usual. If the user is not defined, ClickHouse will assume the definition exists in the external LDAP directory and will try to “bind” to the specified DN at the LDAP server using the provided credentials. If successful, the user will be considered existing and authenticated. The user will be assigned roles from the list specified in the roles section. Additionally, LDAP “search” can be performed and results can be transformed and treated as role names and then be assigned to the user if the role_mapping section is also configured. All this implies that the SQL-driven Access Control and Account Management is enabled and roles are created using the CREATE ROLE statement.
Example
Goes into config.xml.
my_ldap_server referred in the ldap section inside the user_directories section must be a previously defined LDAP server that is configured in the config.xml (see LDAP Server Definition).
Parameters
role_mapping sub-parameters
Section with LDAP search parameters and mapping rules. When a user authenticates, while still bound to LDAP, an LDAP search is performed using search_filter and the name of the logged-in user. For each entry found during that search, the value of the specified attribute is extracted. For each attribute value that has the specified prefix, the prefix is removed, and the rest of the value becomes the name of a local role defined in ClickHouse, which is expected to be created beforehand by the CREATE ROLE statement. There can be multiple role_mapping sections defined inside the same ldap section. All of them will be applied.