server: use LDAP for authn, perhaps authz

[keith-mcclellan]

Many enterprise clients would prefer an authz/authn option to use LDAPS rather than our current authz solution (GSSAPI to Kerberos) as LDAPS is easier for them to configure and maintain.

Epic: CRDB-198

Jira issue: CRDB-5319

gz#19827

[knz]

Open questions:

When we last explored LDAP(S) we found that there are many possible directions.

For one, we want to know if you are solely interested in the authentication part (let users log in) or you also want to use ldap-driven authorization (which users belong to which roles, and which roles have access to which table).

We want to know what is more prevalent at customer deployments.

Another part, specific to authentication, is the authentication method. There are two modes of operation. Either cockroachdb can take a cleartext password and forward that to the ldap server, or cockroachdb can serve as intermediary for a SASL handshake between the SQL client and the LDAP server.

What is commonplace at customer deployments?

Both these questions are super-important for us to determine how to prioritize this work and how to allocate effort to it.

[github-actions[bot]]

We have marked this issue as stale because it has been inactive for 18 months. If this issue is still relevant, removing the stale label or adding a comment will keep it active. Otherwise, we'll close it in 10 days to keep the issue queue tidy. Thank you for your contribution to CockroachDB!