# SRS-007 ClickHouse Authentication of Users via LDAP ## Table of Contents * 1 [Revision History](#revision-history) * 2 [Introduction](#introduction) * 3 [Terminology](#terminology) * 4 [Requirements](#requirements) * 4.1 [Generic](#generic) * 4.1.1 [RQ.SRS-007.LDAP.Authentication](#rqsrs-007ldapauthentication) * 4.1.2 [RQ.SRS-007.LDAP.Authentication.MultipleServers](#rqsrs-007ldapauthenticationmultipleservers) * 4.1.3 [RQ.SRS-007.LDAP.Authentication.Protocol.PlainText](#rqsrs-007ldapauthenticationprotocolplaintext) * 4.1.4 [RQ.SRS-007.LDAP.Authentication.Protocol.TLS](#rqsrs-007ldapauthenticationprotocoltls) * 4.1.5 [RQ.SRS-007.LDAP.Authentication.Protocol.StartTLS](#rqsrs-007ldapauthenticationprotocolstarttls) * 4.1.6 [RQ.SRS-007.LDAP.Authentication.TLS.Certificate.Validation](#rqsrs-007ldapauthenticationtlscertificatevalidation) * 4.1.7 [RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SelfSigned](#rqsrs-007ldapauthenticationtlscertificateselfsigned) * 4.1.8 [RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SpecificCertificationAuthority](#rqsrs-007ldapauthenticationtlscertificatespecificcertificationauthority) * 4.1.9 [RQ.SRS-007.LDAP.Server.Configuration.Invalid](#rqsrs-007ldapserverconfigurationinvalid) * 4.1.10 [RQ.SRS-007.LDAP.User.Configuration.Invalid](#rqsrs-007ldapuserconfigurationinvalid) * 4.1.11 [RQ.SRS-007.LDAP.Authentication.Mechanism.Anonymous](#rqsrs-007ldapauthenticationmechanismanonymous) * 4.1.12 [RQ.SRS-007.LDAP.Authentication.Mechanism.Unauthenticated](#rqsrs-007ldapauthenticationmechanismunauthenticated) * 4.1.13 [RQ.SRS-007.LDAP.Authentication.Mechanism.NamePassword](#rqsrs-007ldapauthenticationmechanismnamepassword) * 4.1.14 [RQ.SRS-007.LDAP.Authentication.Valid](#rqsrs-007ldapauthenticationvalid) * 4.1.15 [RQ.SRS-007.LDAP.Authentication.Invalid](#rqsrs-007ldapauthenticationinvalid) * 4.1.16 [RQ.SRS-007.LDAP.Authentication.Invalid.DeletedUser](#rqsrs-007ldapauthenticationinvaliddeleteduser) * 4.1.17 [RQ.SRS-007.LDAP.Authentication.UsernameChanged](#rqsrs-007ldapauthenticationusernamechanged) * 4.1.18 [RQ.SRS-007.LDAP.Authentication.PasswordChanged](#rqsrs-007ldapauthenticationpasswordchanged) * 4.1.19 [RQ.SRS-007.LDAP.Authentication.LDAPServerRestart](#rqsrs-007ldapauthenticationldapserverrestart) * 4.1.20 [RQ.SRS-007.LDAP.Authentication.ClickHouseServerRestart](#rqsrs-007ldapauthenticationclickhouseserverrestart) * 4.1.21 [RQ.SRS-007.LDAP.Authentication.Parallel](#rqsrs-007ldapauthenticationparallel) * 4.1.22 [RQ.SRS-007.LDAP.Authentication.Parallel.ValidAndInvalid](#rqsrs-007ldapauthenticationparallelvalidandinvalid) * 4.2 [Specific](#specific) * 4.2.1 [RQ.SRS-007.LDAP.UnreachableServer](#rqsrs-007ldapunreachableserver) * 4.2.2 [RQ.SRS-007.LDAP.Configuration.Server.Name](#rqsrs-007ldapconfigurationservername) * 4.2.3 [RQ.SRS-007.LDAP.Configuration.Server.Host](#rqsrs-007ldapconfigurationserverhost) * 4.2.4 [RQ.SRS-007.LDAP.Configuration.Server.Port](#rqsrs-007ldapconfigurationserverport) * 4.2.5 [RQ.SRS-007.LDAP.Configuration.Server.Port.Default](#rqsrs-007ldapconfigurationserverportdefault) * 4.2.6 [RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Prefix](#rqsrs-007ldapconfigurationserverauthdnprefix) * 4.2.7 [RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Suffix](#rqsrs-007ldapconfigurationserverauthdnsuffix) * 4.2.8 [RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Value](#rqsrs-007ldapconfigurationserverauthdnvalue) * 4.2.9 [RQ.SRS-007.LDAP.Configuration.Server.EnableTLS](#rqsrs-007ldapconfigurationserverenabletls) * 4.2.10 [RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Default](#rqsrs-007ldapconfigurationserverenabletlsoptionsdefault) * 4.2.11 [RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.No](#rqsrs-007ldapconfigurationserverenabletlsoptionsno) * 4.2.12 [RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Yes](#rqsrs-007ldapconfigurationserverenabletlsoptionsyes) * 4.2.13 [RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.StartTLS](#rqsrs-007ldapconfigurationserverenabletlsoptionsstarttls) * 4.2.14 [RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion](#rqsrs-007ldapconfigurationservertlsminimumprotocolversion) * 4.2.15 [RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Values](#rqsrs-007ldapconfigurationservertlsminimumprotocolversionvalues) * 4.2.16 [RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Default](#rqsrs-007ldapconfigurationservertlsminimumprotocolversiondefault) * 4.2.17 [RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert](#rqsrs-007ldapconfigurationservertlsrequirecert) * 4.2.18 [RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Default](#rqsrs-007ldapconfigurationservertlsrequirecertoptionsdefault) * 4.2.19 [RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Demand](#rqsrs-007ldapconfigurationservertlsrequirecertoptionsdemand) * 4.2.20 [RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Allow](#rqsrs-007ldapconfigurationservertlsrequirecertoptionsallow) * 4.2.21 [RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Try](#rqsrs-007ldapconfigurationservertlsrequirecertoptionstry) * 4.2.22 [RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Never](#rqsrs-007ldapconfigurationservertlsrequirecertoptionsnever) * 4.2.23 [RQ.SRS-007.LDAP.Configuration.Server.TLSCertFile](#rqsrs-007ldapconfigurationservertlscertfile) * 4.2.24 [RQ.SRS-007.LDAP.Configuration.Server.TLSKeyFile](#rqsrs-007ldapconfigurationservertlskeyfile) * 4.2.25 [RQ.SRS-007.LDAP.Configuration.Server.TLSCACertDir](#rqsrs-007ldapconfigurationservertlscacertdir) * 4.2.26 [RQ.SRS-007.LDAP.Configuration.Server.TLSCACertFile](#rqsrs-007ldapconfigurationservertlscacertfile) * 4.2.27 [RQ.SRS-007.LDAP.Configuration.Server.TLSCipherSuite](#rqsrs-007ldapconfigurationservertlsciphersuite) * 4.2.28 [RQ.SRS-007.LDAP.Configuration.Server.Syntax](#rqsrs-007ldapconfigurationserversyntax) * 4.2.29 [RQ.SRS-007.LDAP.Configuration.User.RBAC](#rqsrs-007ldapconfigurationuserrbac) * 4.2.30 [RQ.SRS-007.LDAP.Configuration.User.Syntax](#rqsrs-007ldapconfigurationusersyntax) * 4.2.31 [RQ.SRS-007.LDAP.Configuration.User.Name.Empty](#rqsrs-007ldapconfigurationusernameempty) * 4.2.32 [RQ.SRS-007.LDAP.Configuration.User.BothPasswordAndLDAP](#rqsrs-007ldapconfigurationuserbothpasswordandldap) * 4.2.33 [RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.NotDefined](#rqsrs-007ldapconfigurationuserldapinvalidservernamenotdefined) * 4.2.34 [RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.Empty](#rqsrs-007ldapconfigurationuserldapinvalidservernameempty) * 4.2.35 [RQ.SRS-007.LDAP.Configuration.User.OnlyOneServer](#rqsrs-007ldapconfigurationuseronlyoneserver) * 4.2.36 [RQ.SRS-007.LDAP.Configuration.User.Name.Long](#rqsrs-007ldapconfigurationusernamelong) * 4.2.37 [RQ.SRS-007.LDAP.Configuration.User.Name.UTF8](#rqsrs-007ldapconfigurationusernameutf8) * 4.2.38 [RQ.SRS-007.LDAP.Authentication.Username.Empty](#rqsrs-007ldapauthenticationusernameempty) * 4.2.39 [RQ.SRS-007.LDAP.Authentication.Username.Long](#rqsrs-007ldapauthenticationusernamelong) * 4.2.40 [RQ.SRS-007.LDAP.Authentication.Username.UTF8](#rqsrs-007ldapauthenticationusernameutf8) * 4.2.41 [RQ.SRS-007.LDAP.Authentication.Password.Empty](#rqsrs-007ldapauthenticationpasswordempty) * 4.2.42 [RQ.SRS-007.LDAP.Authentication.Password.Long](#rqsrs-007ldapauthenticationpasswordlong) * 4.2.43 [RQ.SRS-007.LDAP.Authentication.Password.UTF8](#rqsrs-007ldapauthenticationpasswordutf8) * 5 [References](#references) ## Revision History This document is stored in an electronic form using [Git] source control management software hosted in a [GitHub Repository]. All the updates are tracked using the [Git]'s [Revision History]. ## Introduction [ClickHouse] currently does not have any integration with [LDAP]. As the initial step in integrating with [LDAP] this software requirements specification covers only the requirements to enable authentication of users using an [LDAP] server. ## Terminology * **CA** - Certificate Authority ([CA]) * **LDAP** - Lightweight Directory Access Protocol ([LDAP]) ## Requirements ### Generic #### RQ.SRS-007.LDAP.Authentication version: 1.0 [ClickHouse] SHALL support user authentication via an [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.MultipleServers version: 1.0 [ClickHouse] SHALL support specifying multiple [LDAP] servers that can be used to authenticate users. #### RQ.SRS-007.LDAP.Authentication.Protocol.PlainText version: 1.0 [ClickHouse] SHALL support user authentication using plain text `ldap://` non secure protocol. #### RQ.SRS-007.LDAP.Authentication.Protocol.TLS version: 1.0 [ClickHouse] SHALL support user authentication using `SSL/TLS` `ldaps://` secure protocol. #### RQ.SRS-007.LDAP.Authentication.Protocol.StartTLS version: 1.0 [ClickHouse] SHALL support user authentication using legacy `StartTLS` protocol which is a plain text `ldap://` protocol that is upgraded to [TLS]. #### RQ.SRS-007.LDAP.Authentication.TLS.Certificate.Validation version: 1.0 [ClickHouse] SHALL support certificate validation used for [TLS] connections. #### RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SelfSigned version: 1.0 [ClickHouse] SHALL support self-signed certificates for [TLS] connections. #### RQ.SRS-007.LDAP.Authentication.TLS.Certificate.SpecificCertificationAuthority version: 1.0 [ClickHouse] SHALL support certificates signed by specific Certification Authority for [TLS] connections. #### RQ.SRS-007.LDAP.Server.Configuration.Invalid version: 1.0 [ClickHouse] SHALL return an error and prohibit user login if [LDAP] server configuration is not valid. #### RQ.SRS-007.LDAP.User.Configuration.Invalid version: 1.0 [ClickHouse] SHALL return an error and prohibit user login if user configuration is not valid. #### RQ.SRS-007.LDAP.Authentication.Mechanism.Anonymous version: 1.0 [ClickHouse] SHALL return an error and prohibit authentication using [Anonymous Authentication Mechanism of Simple Bind] authentication mechanism. #### RQ.SRS-007.LDAP.Authentication.Mechanism.Unauthenticated version: 1.0 [ClickHouse] SHALL return an error and prohibit authentication using [Unauthenticated Authentication Mechanism of Simple Bind] authentication mechanism. #### RQ.SRS-007.LDAP.Authentication.Mechanism.NamePassword version: 1.0 [ClickHouse] SHALL allow authentication using only [Name/Password Authentication Mechanism of Simple Bind] authentication mechanism. #### RQ.SRS-007.LDAP.Authentication.Valid version: 1.0 [ClickHouse] SHALL only allow user authentication using [LDAP] server if and only if user name and password match [LDAP] server records for the user. #### RQ.SRS-007.LDAP.Authentication.Invalid version: 1.0 [ClickHouse] SHALL return an error and prohibit authentication if either user name or password do not match [LDAP] server records for the user. #### RQ.SRS-007.LDAP.Authentication.Invalid.DeletedUser version: 1.0 [ClickHouse] SHALL return an error and prohibit authentication if the user has been deleted from the [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.UsernameChanged version: 1.0 [ClickHouse] SHALL return an error and prohibit authentication if the username is changed on the [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.PasswordChanged version: 1.0 [ClickHouse] SHALL return an error and prohibit authentication if the password for the user is changed on the [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.LDAPServerRestart version: 1.0 [ClickHouse] SHALL support authenticating users after [LDAP] server is restarted. #### RQ.SRS-007.LDAP.Authentication.ClickHouseServerRestart version: 1.0 [ClickHouse] SHALL support authenticating users after server is restarted. #### RQ.SRS-007.LDAP.Authentication.Parallel version: 1.0 [ClickHouse] SHALL support parallel authentication of users using [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.Parallel.ValidAndInvalid version: 1.0 [ClickHouse] SHALL support authentication of valid users and prohibit authentication of invalid users using [LDAP] server in parallel without having invalid attempts affecting valid authentications. ### Specific #### RQ.SRS-007.LDAP.UnreachableServer version: 1.0 [ClickHouse] SHALL return an error and prohibit user login if [LDAP] server is unreachable. #### RQ.SRS-007.LDAP.Configuration.Server.Name version: 1.0 [ClickHouse] SHALL not support empty string as a server name. #### RQ.SRS-007.LDAP.Configuration.Server.Host version: 1.0 [ClickHouse] SHALL support `` parameter to specify [LDAP] server hostname or IP, this parameter SHALL be mandatory and SHALL not be empty. #### RQ.SRS-007.LDAP.Configuration.Server.Port version: 1.0 [ClickHouse] SHALL support `` parameter to specify [LDAP] server port. #### RQ.SRS-007.LDAP.Configuration.Server.Port.Default version: 1.0 [ClickHouse] SHALL use default port number `636` if `enable_tls` is set to `yes` or `389` otherwise. #### RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Prefix version: 1.0 [ClickHouse] SHALL support `` parameter to specify the prefix of value used to construct the DN to bound to during authentication via [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Suffix version: 1.0 [ClickHouse] SHALL support `` parameter to specify the suffix of value used to construct the DN to bound to during authentication via [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.Server.AuthDN.Value version: 1.0 [ClickHouse] SHALL construct DN as `auth_dn_prefix + escape(user_name) + auth_dn_suffix` string. > This implies that auth_dn_suffix should usually have comma ',' as its first non-space character. #### RQ.SRS-007.LDAP.Configuration.Server.EnableTLS version: 1.0 [ClickHouse] SHALL support `` parameter to trigger the use of secure connection to the [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Default version: 1.0 [ClickHouse] SHALL use `yes` value as the default for `` parameter to enable SSL/TLS `ldaps://` protocol. #### RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.No version: 1.0 [ClickHouse] SHALL support specifying `no` as the value of `` parameter to enable plain text `ldap://` protocol. #### RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.Yes version: 1.0 [ClickHouse] SHALL support specifying `yes` as the value of `` parameter to enable SSL/TLS `ldaps://` protocol. #### RQ.SRS-007.LDAP.Configuration.Server.EnableTLS.Options.StartTLS version: 1.0 [ClickHouse] SHALL support specifying `starttls` as the value of `` parameter to enable legacy `StartTLS` protocol that used plain text `ldap://` protocol, upgraded to [TLS]. #### RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion version: 1.0 [ClickHouse] SHALL support `` parameter to specify the minimum protocol version of SSL/TLS. #### RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Values version: 1.0 [ClickHouse] SHALL support specifying `ssl2`, `ssl3`, `tls1.0`, `tls1.1`, and `tls1.2` as a value of the `` parameter. #### RQ.SRS-007.LDAP.Configuration.Server.TLSMinimumProtocolVersion.Default version: 1.0 [ClickHouse] SHALL set `tls1.2` as the default value of the `` parameter. #### RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert version: 1.0 [ClickHouse] SHALL support `` parameter to specify [TLS] peer certificate verification behavior. #### RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Default version: 1.0 [ClickHouse] SHALL use `demand` value as the default for the `` parameter. #### RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Demand version: 1.0 [ClickHouse] SHALL support specifying `demand` as the value of `` parameter to enable requesting of client certificate. If no certificate is provided, or a bad certificate is provided, the session SHALL be immediately terminated. #### RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Allow version: 1.0 [ClickHouse] SHALL support specifying `allow` as the value of `` parameter to enable requesting of client certificate. If no certificate is provided, the session SHALL proceed normally. If a bad certificate is provided, it SHALL be ignored and the session SHALL proceed normally. #### RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Try version: 1.0 [ClickHouse] SHALL support specifying `try` as the value of `` parameter to enable requesting of client certificate. If no certificate is provided, the session SHALL proceed normally. If a bad certificate is provided, the session SHALL be immediately terminated. #### RQ.SRS-007.LDAP.Configuration.Server.TLSRequireCert.Options.Never version: 1.0 [ClickHouse] SHALL support specifying `never` as the value of `` parameter to disable requesting of client certificate. #### RQ.SRS-007.LDAP.Configuration.Server.TLSCertFile version: 1.0 [ClickHouse] SHALL support `` to specify the path to certificate file used by [ClickHouse] to establish connection with the [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.Server.TLSKeyFile version: 1.0 [ClickHouse] SHALL support `` to specify the path to key file for the certificate specified by the `` parameter. #### RQ.SRS-007.LDAP.Configuration.Server.TLSCACertDir version: 1.0 [ClickHouse] SHALL support `` parameter to specify to a path to the directory containing [CA] certificates used to verify certificates provided by the [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.Server.TLSCACertFile version: 1.0 [ClickHouse] SHALL support `` parameter to specify a path to a specific [CA] certificate file used to verify certificates provided by the [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.Server.TLSCipherSuite version: 1.0 [ClickHouse] SHALL support `tls_cipher_suite` parameter to specify allowed cipher suites. The value SHALL use the same format as the `ciphersuites` in the [OpenSSL Ciphers]. For example, ```xml ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384 ``` The available suites SHALL depend on the [OpenSSL] library version and variant used to build [ClickHouse] and therefore might change. #### RQ.SRS-007.LDAP.Configuration.Server.Syntax version: 1.0 [ClickHouse] SHALL support the following example syntax to create an entry for an [LDAP] server inside the `config.xml` configuration file or of any configuration file inside the `config.d` directory. ```xml localhost 636 cn= , ou=users, dc=example, dc=com yes tls1.2 demand /path/to/tls_cert_file /path/to/tls_key_file /path/to/tls_ca_cert_file /path/to/tls_ca_cert_dir ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384 ``` #### RQ.SRS-007.LDAP.Configuration.User.RBAC version: 1.0 [ClickHouse] SHALL support creating users identified using an [LDAP] server using the following RBAC command ```sql CREATE USER name IDENTIFIED WITH ldap_server BY 'server_name' ``` #### RQ.SRS-007.LDAP.Configuration.User.Syntax version: 1.0 [ClickHouse] SHALL support the following example syntax to create a user that is authenticated using an [LDAP] server inside the `users.xml` file or any configuration file inside the `users.d` directory. ```xml my_ldap_server ``` #### RQ.SRS-007.LDAP.Configuration.User.Name.Empty version: 1.0 [ClickHouse] SHALL not support empty string as a user name. #### RQ.SRS-007.LDAP.Configuration.User.BothPasswordAndLDAP version: 1.0 [ClickHouse] SHALL throw an error if `` is specified for the user and at the same time user configuration contains any of the `` entries. #### RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.NotDefined version: 1.0 [ClickHouse] SHALL throw an error during any authentication attempt if the name of the [LDAP] server used inside the `` entry is not defined in the `` section. #### RQ.SRS-007.LDAP.Configuration.User.LDAP.InvalidServerName.Empty version: 1.0 [ClickHouse] SHALL throw an error during any authentication attempt if the name of the [LDAP] server used inside the `` entry is empty. #### RQ.SRS-007.LDAP.Configuration.User.OnlyOneServer version: 1.0 [ClickHouse] SHALL support specifying only one [LDAP] server for a given user. #### RQ.SRS-007.LDAP.Configuration.User.Name.Long version: 1.0 [ClickHouse] SHALL support long user names of at least 256 bytes to specify users that can be authenticated using an [LDAP] server. #### RQ.SRS-007.LDAP.Configuration.User.Name.UTF8 version: 1.0 [ClickHouse] SHALL support user names that contain [UTF-8] characters. #### RQ.SRS-007.LDAP.Authentication.Username.Empty version: 1.0 [ClickHouse] SHALL not support authenticating users with empty username. #### RQ.SRS-007.LDAP.Authentication.Username.Long version: 1.0 [ClickHouse] SHALL support authenticating users with a long username of at least 256 bytes. #### RQ.SRS-007.LDAP.Authentication.Username.UTF8 version: 1.0 [ClickHouse] SHALL support authentication users with a username that contains [UTF-8] characters. #### RQ.SRS-007.LDAP.Authentication.Password.Empty version: 1.0 [ClickHouse] SHALL not support authenticating users with empty passwords even if an empty password is valid for the user and is allowed by the [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.Password.Long version: 1.0 [ClickHouse] SHALL support long password of at least 256 bytes that can be used to authenticate users using an [LDAP] server. #### RQ.SRS-007.LDAP.Authentication.Password.UTF8 version: 1.0 [ClickHouse] SHALL support [UTF-8] characters in passwords used to authenticate users using an [LDAP] server. ## References * **ClickHouse:** https://clickhouse.tech [Anonymous Authentication Mechanism of Simple Bind]: https://ldapwiki.com/wiki/Simple%20Authentication#section-Simple+Authentication-AnonymousAuthenticationMechanismOfSimpleBind [Unauthenticated Authentication Mechanism of Simple Bind]: https://ldapwiki.com/wiki/Simple%20Authentication#section-Simple+Authentication-UnauthenticatedAuthenticationMechanismOfSimpleBind [Name/Password Authentication Mechanism of Simple Bind]: https://ldapwiki.com/wiki/Simple%20Authentication#section-Simple+Authentication-NamePasswordAuthenticationMechanismOfSimpleBind [UTF-8]: https://en.wikipedia.org/wiki/UTF-8 [OpenSSL]: https://www.openssl.org/ [OpenSSL Ciphers]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html [CA]: https://en.wikipedia.org/wiki/Certificate_authority [TLS]: https://en.wikipedia.org/wiki/Transport_Layer_Security [LDAP]: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol [ClickHouse]: https://clickhouse.tech [GitHub]: https://github.com [GitHub Repository]: https://github.com/ClickHouse/ClickHouse/blob/master/tests/testflows/ldap/authentication/requirements/requirements.md [Revision History]: https://github.com/ClickHouse/ClickHouse/commits/master/tests/testflows/ldap/authentication/requirements/requirements.md [Git]: https://git-scm.com/