docs: update v26.2 LDAP and OIDC authentication for DB Console#23213
Open
docs: update v26.2 LDAP and OIDC authentication for DB Console#23213
Conversation
Updates documentation to reflect four new capabilities in v26.2: - LDAP authorization (RBAC) now works for DB Console logins - LDAP auto-provisioning now works for DB Console logins - Login time tracking (estimated_last_login_time) for LDAP DB Console - Login time tracking (estimated_last_login_time) for OIDC DB Console Changes: - Fix incorrect statement that authorization doesn't work for DB Console - Clarify LDAP authorization applies to both SQL clients and DB Console - Document auto-provisioning support for DB Console connections - Document estimated_last_login_time population for both auth methods - Add cross-references between LDAP and OIDC documentation Based on PRs: - #162302: authserver,ldapccl: enable ldap authorization for db console - #163199: authserver,ldapccl: enable ldap user provisioning for db console - #163400: authserver,pgwire: populate estimated_last_login_time for ldap - #164129: oidcccl: populate estimated_last_login_time for OIDC Epic: CRDB-52460 Fixes: DOC-14308 Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
souravcrl
approved these changes
Apr 25, 2026
|
|
||
| ### Last-login tracking for usage and dormancy | ||
|
|
||
| When `security.provisioning.ldap.enabled` is set to `true`, the `estimated_last_login_time` column in the `SHOW USERS` output is updated for both SQL client connections and DB Console logins. This allows administrators to track user activity across all connection methods and identify dormant accounts. |
There was a problem hiding this comment.
One thing to note is estimated time is populated if authentication was successful even if the user was not able to access db console because of privileges. This was done because we want to track inactive users using their last login time.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR documents new v26.2 features related to LDAP and OIDC authentication for DB Console, based on epic CRDB-52460:
estimated_last_login_time) for both LDAP and OIDC DB Console loginsChanges
ldap-authentication.md
SHOW USERSoutput (line ~229)ldap-authorization.md
sso-db-console.md
estimated_last_login_timetracking (line ~146)Related Issues