Additional properties for LDAP authentication

[snocke]

Usecase:
Connect Trino with existing company LDAP

Only a certain group of users from the LDAP is allowed to authenticate. Adding a searchfilter requieres specific LDAP properties.
These include

• ldap.user-bind-pattern
• ldap.group-auth-pattern

As a workaround we created a config map and mounted this as podOverrides into the trino pod.
We used configOverrides as well.

apiVersion: v1
kind: ConfigMap
metadata:
  name: trino-ldap-config
data:
  ldap-password-ldap-auth.properties: |
    ldap.allow-insecure=true
    ldap.group-auth-pattern=(&(uid\=${USER}))
    ldap.url=ldap\://my-host\:my-port
    ldap.user-base-dn=xx\=people,ou\=xxxxx,ou\=xxx,dc\=xxxxx,dc\=xxx
    password-authenticator.name=ldap
    ldap.user-bind-pattern=uid\=${USER},ou\=people,ou\=xxxxxx,ou\=xxx,dc\=xxxxxxx,dc\=xxx
    ldap.group-auth-pattern=(&(uid\=${USER})(memberOf\=cn\=xxxxx,ou\=xxxxxx,ou\=xxxxx,ou\=xxx,dc\=xxxxxxxx,dc\=xxx))

From the trino deployment:

configOverrides:
      config.properties:
        password-authenticator.config-files: /stackable/rwconfig/trino-users-password-file-auth.properties,/tmp/config/ldap-password-ldap-auth.properties
podOverrides:
      spec:
        containers:
          - name: trino
            volumeMounts:
              - name: custom-ldap-config
                mountPath: /tmp/config/ldap-password-ldap-auth.properties
                subPath: ldap-password-ldap-auth.properties
        volumes:
          - name: custom-ldap-config
            configMap:
              name: trino-ldap-config

fyi: for the specific case we discovered that the bindCredentials is optional.