@@ -5,58 +5,57 @@ Trino supports resolving user group memberships from an LDAP server for system a
55## Configuration
66
77Enable LDAP group provider by creating an ` etc/group-provider.properties ` file on the coordinator:
8-
98``` properties
109group-provider.name =ldap
1110```
1211
13- ## Configuration properties
14-
15-
1612### Generic LDAP properties
1713
18- | Property | Description |
19- | --------------------------------------| ----------------------------------------------------------------------------------------------------------------------|
20- | ` ldap.url ` | LDAP server URI. Example: ` ldap://host:389 ` or ` ldaps://host:636 ` ) |
21- | ` ldap.allow-insecure ` | Allow insecure connection to the LDAP server |
22- | ` ldap.ssl.keystore.path ` | Path to the PEM or JKS key store |
23- | ` ldap.ssl.keystore.password ` | Password for the key store |
24- | ` ldap.ssl.truststore.path ` | Path to the PEM or JKS trust store |
25- | ` ldap.ssl.truststore.password ` | Password for the trust store |
26- | ` ldap.ignore-referrals ` | Referrals allow finding entries across multiple LDAP servers. Ignore them to only search within 1 LDAP server |
27- | ` ldap.timeout.connect ` | Timeout for establishing a connection |
28- | ` ldap.timeout.read ` | Timeout for reading data from LDAP |
29- | ` ldap.admin-user ` | Bind distinguished name for admin user. Example: ` CN=User Name,OU=CITY_OU ,OU=STATE_OU ,DC=domain,DC=domain_root ` |
30- | ` ldap.admin-password ` | Bind password used for admin user. Example: ` password1234 ` |
31- | ` ldap.user-base-dn ` | Base distinguished name for users. Example: ` dc=example,dc=com ` |
32- | ` ldap.user-search-filter ` | LDAP filter to find user entries; ` {0} ` is replaced with the Trino username. Example: ` (cn={0}) ` |
33- | ` ldap.group-name-attribute ` | Attribute to extract group name from group entry. Example: ` cn ` |
34- | ` ldap.use-group-filter ` | Whether to use search-based group resolution. Defaults to ` true ` . If ` false ` , Trino uses the attribute-based method. |
14+ | Property | Description | Example |
15+ | --------------------------------| ------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------|
16+ | ` ldap.url ` | LDAP server URI. | ` ldap://host:389 ` or ` ldaps://host:636 ` ) |
17+ | ` ldap.allow-insecure ` | Allow insecure connection to the LDAP server | |
18+ | ` ldap.ssl.keystore.path ` | Path to the PEM or JKS key store | |
19+ | ` ldap.ssl.keystore.password ` | Password for the key store | |
20+ | ` ldap.ssl.truststore.path ` | Path to the PEM or JKS trust store | |
21+ | ` ldap.ssl.truststore.password ` | Password for the trust store | |
22+ | ` ldap.ignore-referrals ` | Referrals allow finding entries across multiple LDAP servers. Ignore them to only search within 1 LDAP server | |
23+ | ` ldap.timeout.connect ` | Timeout for establishing a connection | |
24+ | ` ldap.timeout.read ` | Timeout for reading data from LDAP | |
25+ | ` ldap.admin-user ` | Bind distinguished name for admin user. | ` CN=User Name,OU=City ,OU=State ,DC=domain,DC=domain_root ` |
26+ | ` ldap.admin-password ` | Bind password used for admin user. | ` password1234 ` |
27+ | ` ldap.user-base-dn ` | Base distinguished name for users. | ` dc=example,dc=com ` |
28+ | ` ldap.user-search-filter ` | LDAP filter to find user entries; ` {0} ` is replaced with the Trino username. | ` (cn={0}) ` |
29+ | ` ldap.group-name-attribute ` | Attribute to extract group name from group entry. | ` cn ` |
30+ | ` ldap.use-group-filter ` | Whether to use search-based group resolution. Defaults to ` true ` . If ` false ` , Trino uses the attribute-based method. | |
3531
3632## Group resolution strategy
3733
38- Group resolution behavior is controlled by the ` ldap.use-group-filter ` property:
34+ Group resolution behavior is controlled by the ` ldap.use-group-filter ` property.
3935
40- ### Search-based group resolution** (` ldap.use-group-filter=true ` , the default):
36+ | Property | Description |
37+ | --------------------------| ----------------------------------------------------------------------------------------------------------------------|
38+ | ` ldap.use-group-filter ` | Whether to use search-based group resolution. Defaults to ` true ` . If ` false ` , Trino uses the attribute-based method. |
4139
42- Trino searches for group entries that include the user DN. This requires:
40+ ### Search-based group resolution
4341
44- | Property | Description |
45- | --------------------------------------| ----------------------------------------------------------------------------------------------------------------------|
46- | ` ldap.group-base-dn ` | Base distinguished name for groups. Example: ` dc=example,dc=com ` |
47- | ` ldap.group-search-filter ` | Search filter for group documents. Example: ` (cn=trino_*) ` |
48- | ` ldap.group-search-member-attribute ` | Attribute from group documents used for filtering by member. Example: ` cn ` |
42+ Trino searches for group entries that include the user DN. This requires the following properties:
4943
44+ | Property | Description | Example |
45+ | --------------------------------------| --------------------------------------------------------------| ---------------------|
46+ | ` ldap.group-base-dn ` | Base distinguished name for groups. | ` dc=example,dc=com ` |
47+ | ` ldap.group-search-filter ` | Search filter for group documents. | ` (cn=trino_*) ` |
48+ | ` ldap.group-search-member-attribute ` | Attribute from group documents used for filtering by member. | ` cn ` |
5049
51- ### Single query group resultion ** ( ` ldap.use-group-filter=false ` ):
50+ ### attribute-based (single query) group resolution
5251
53- Trino reads the group list directly from a user attribute (Example, ` memberOf ` ) . This requires:
52+ Trino reads the group list directly from a user attribute. This requires the following property :
5453
55- | Property | Description |
56- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------- ------------|
57- | ` ldap.user-member-of-attribute ` | Group membership attribute in user documents. Example: ` memberOf ` |
54+ | Property | Description | Example |
55+ | ----------------------------------| -----------------------------------------------| ------------|
56+ | ` ldap.user-member-of-attribute ` | Group membership attribute in user documents. | ` memberOf ` |
5857
59- # Example configurations
58+ ## Example configurations
6059
6160### OpenLDAP (search-based)
6261
@@ -67,16 +66,16 @@ ldap.url=ldap://ldap.example.com:389
6766ldap.admin-user =cn =admin,dc =example,dc =com
6867ldap.admin-password =your_password
6968ldap.group-name-attribute =cn
70- ldap.use-group-filter =true
7169ldap.user-base-dn =ou =users,dc =example,dc =com
7270ldap.user-search-filter =(uid ={0})
71+ ldap.use-group-filter =true
7372
7473ldap.group-base-dn =ou =groups,dc =example,dc =com
7574ldap.group-search-filter =(cn =trino_*)
7675ldap.group-search-member-attribute =member
7776```
7877
79- ### Active Directory (attribute-based)
78+ ### Active Directory (single query, attribute-based)
8079
8180``` properties
8281group-provider.name =ldap
@@ -85,9 +84,9 @@ ldap.url=ldaps://ad.example.com:636
8584ldap.admin-user =cn =admin,dc =example,dc =com
8685ldap.admin-password =your_password
8786ldap.group-name-attribute =cn
88- ldap.use-group-filter =false
8987ldap.user-base-dn =ou =users,dc =example,dc =com
9088ldap.user-search-filter =(sAMAccountName ={0})
89+ ldap.use-group-filter =false
9190
9291ldap.user-member-of-attribute =memberOf
9392```
0 commit comments