release-24.2: ldapccl,sql: validate ldap options provided in HBA config entry #132748
+419
−176
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #132086.
/cc @cockroachdb/release
fixes CRDB-41624
Epic: CRDB-33829
Currently, we validate ldap configuration provided as HBA entry options at the time an auth request comes in for ldap. This prevents us from disallowing invalid/incomplete list of ldap options in HBA. This PR fixes the issue.
Release note(security, ops): HBA config entry for LDAP will be evaluated with validations for proper ldap config parameter values and any invalid/incomplete options list will be disallowed to amend the HBA setting. We will validate all fields provided as ldap auth method options in HBA entry.
Release justification: We need to backport fix as LDAP will be retroactively added to 24.2 feature list.