Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups #2912

Merged
merged 32 commits into from
Mar 15, 2023
Merged

feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups #2912

merged 32 commits into from
Mar 15, 2023

Conversation

jimlambrt
Copy link
Collaborator

@jimlambrt jimlambrt commented Feb 5, 2023
edited

issue: #866

All commits in this PR to main were reviewed as they were merged to the auth-ldap-llb branch.

@jimlambrt jimlambrt force-pushed the auth-ldap-llb branch 2 times, most recently from e39e7db to 2fc40a8 Compare February 6, 2023 11:25
@jimlambrt jimlambrt added this to the deferred milestone Feb 6, 2023
@jimlambrt jimlambrt marked this pull request as ready for review February 6, 2023 19:57
johanbrandhorst
johanbrandhorst approved these changes Feb 7, 2023
View reviewed changes
Copy link
Collaborator

@johanbrandhorst johanbrandhorst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've had about as detailed of a look at this as I can, barring a review on the prose from @Dan-Heath I think this is good to go!

Dan-Heath
Dan-Heath reviewed Feb 7, 2023
View reviewed changes
Copy link
Contributor

@Dan-Heath Dan-Heath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some grammatical suggestions to the Markdown docs, but overall thought everything made sense and looks like it's formatted correctly. Please let me know if you have any questions, or if there's anything I can do to help. Thanks!

website/content/docs/concepts/domain-model/accounts.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/accounts.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/accounts.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/accounts.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/auth-methods.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/auth-methods.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/auth-methods.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/auth-methods.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/auth-methods.mdx Outdated Show resolved Hide resolved
website/content/docs/concepts/domain-model/managed-groups.mdx Outdated Show resolved Hide resolved
Dan-Heath
Dan-Heath approved these changes Feb 7, 2023
View reviewed changes
Copy link
Contributor

@Dan-Heath Dan-Heath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@jimlambrt jimlambrt force-pushed the auth-ldap-llb branch 3 times, most recently from c0a4be8 to 4cbdb86 Compare February 8, 2023 00:30
@jimlambrt jimlambrt mentioned this pull request Feb 14, 2023
Merged
@jimlambrt
feature (auth/ldap): add AuthMethod.EnableGroups
b296acc
@jimlambrt
fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints
9efe053
@jimlambrt
feature (auth/ldap): add Account repo functions
a5c250b
@jimlambrt
refactor (auth/ldap): remove entry attributes from account
379586c 
Realized the entry attributes could have absolutely anything in them
(including binary data) and since we absolutely don't have to have them
there's just no reason to take on the risk.
@jimlambrt
feature (auth/ldap): add AuthMethod.UseTokenGroups
eea783a
@jimlambrt
feature (auth/ldap): add Authenticate(...)
c37a444
@jimlambrt
refactor (auth/ldap): ensure options take a context as the 1st parameter
d4795bb
@jimlambrt
feature (auth/ldap): add Account attribute maps
e1d9ee2
@jimlambrt
chore (auth/ldap): make fmt deltas
ec85459
@jimlambrt
feature (auth/ldap): add managed groups (#2760)
80326af 
* tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...)

Add bits to test the delete operation when you're not able to generate
oplog metadata

* feature (auth/ldap): add managed groups

fixup! feature (auth/ldap): add managed groups (#2760)
@jimlambrt
feature (auth/ldap): service proto definition (#2761)
4e09a52
@jimlambrt
feature (handlers/authmethods): add handlers for ldap auth method ope…
dd5c800 
…rations (#2794)

* feature (auth/ldap): add Account attribute maps

* chore (auth/ldap): update cap/ldap to latest version

* feature (auth/ldap): add ldap api generation definitions

* feature (authmethods): add ldap repo NewService(...)

* feature (authmethods/ldap): add proper mask_mapping to protobufs

* feature (authmethods): add support to get an ldap auth method

* refactor (auth/ldap): export TestGenerateCA(...)

* feature (authmethods): add support to create an ldap auth method

* feature (authmethods): add support to delete an ldap auth method

* feature (authmethods): add support to list ldap auth methods

* refactor (auth/ldap): make urls optional for NewAuthMethod(...)

* refactor (auth/ldap): export ldap.TestInvalidPem

* chore: make fmt changes

* fix (auth/ldap): properly handle group search config

Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups
is true, and UseTokenGroups is false; that there's a GroupDn configured
for finding a user's associated groups

* feature (authmethods): add support to update an ldap auth methods

* chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work

* feature (verifier): add ldap auth method to verifier bits

* fix (controller): prevent panic when controller stops when there's no listener

* feature (authmethods): add support to authenticate via ldap auth methods

* chore (migrations): fix whitespace in stmt

* chore: fmt fixup

* tests (auth/ldap): invalid err msg
@jimlambrt
feature (cli/authmethods): add support for ldap auth-methods CRUD and…
b466217 
… authenticate (#2810)

* feature (authmethods): add CLI support for ldap auth methods CRUD

* tests (api/auth): ldap auth method classification tests

* feature (authmethods): add CLI support for ldap auth authenticate

* feature (auth/ldap): set request timeouts for ldap server connections

* feature (handlers/authmethods): handle u_anon listing properly.
@jimlambrt
feature (account/handers): ldap account and managed group CRUDL APIs (
a83924d 
…#2852)

* feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount

* feature (controller/handlers): add ldapRepoFn to accounts service

* feature (auth/ldap) register ldap managed group subtype

* feature (account/handlers): ldap account CRUDL APIs

* feature (controller/handlers): add ldapRepo to managed groups service

* feature (account/handlers): ldap managed group CRUDL APIs
@jimlambrt
docs (domain): add LDAP accounts, auth-methods and managed groups (#2857
2caaa13 
)
@jimlambrt
feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (
e095156 
#2856)
@jimlambrt
fix (handlers/authmethods): fix ldap authorized actions (#2892)
918037f
@jimlambrt
feature (cli/ldap/authenticate): use primary auth method if none is p…
d1d2c3f 
…rovided (#2890)

* fix (auth/ldap): support setting the state attribute

* feature (cli/ldap/authenticate): use primary auth method if none is provided
@jimlambrt
feature (wh/ldap) add tests for new ldap auth method and accounts (#2919
7a4a295 
)
@jimlambrt
refactor (migrations/ldap): mv to correct directory
a1e3a36
@jimlambrt
chore: add copyright headers
e791953 
fixup! chore: add copyright headers
@jimlambrt
fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field
8f65361
@jimlambrt
fix (auth/ldap): allow the auth method state to be updated (#2951)
218f5db
@jimlambrt
chore: update sdk and api versions for llb - this is tmp until merging
1a221eb
@jimlambrt
fixup! refactor (migrations/ldap): mv to correct directory
2e0f821
@jimlambrt
tests (managed groups): add required errContains for new test
621f723
@github-actions
Copy link

Database schema diff between main and auth-ldap-llb @ 621f723

Functions

diff --git a/.schema-diff/funcs_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/_wtt_load_widgets_auth.sql b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/_wtt_load_widgets_auth.sql
index ee8c60c4f..aae5ac72e 100644
--- a/.schema-diff/funcs_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/_wtt_load_widgets_auth.sql
+++ b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/_wtt_load_widgets_auth.sql
@@ -82,6 +82,30 @@ create function public._wtt_load_widgets_auth() returns void
       ('kdkv___widget', 'aoa___walter', 'oidc__walter', 'oidc__walter'::bytea),
       ('kdkv___widget', 'aoa___warren', 'oidc__warren', 'oidc__warren'::bytea);
 
+    insert into auth_ldap_method
+      (scope_id,       public_id,      name,          state)
+    values
+      ('o_____widget', 'alm___widget', 'widget ldap', 'active-private');
+    insert into auth_ldap_url
+      (ldap_method_id, url,             connection_priority)
+    values 
+      ('alm___widget', 'ldaps://ldap1', 1);
+
+    insert into auth_ldap_account
+      (auth_method_id, public_id,      name,             description,           full_name, email,                login_name)
+    values
+      ('alm___widget', 'ala___walter', 'walter account', 'walter ldap account', 'walter',  'walter@widget.test', 'walter'),
+      ('alm___widget', 'ala___warren', 'warren account', 'warren ldap account', null,      null,                 'warren');
+
+    update auth_account set iam_user_id = 'u_____walter' where public_id = 'ala___walter';
+    update auth_account set iam_user_id = 'u_____warren' where public_id = 'ala___warren';
+
+    insert into auth_token
+      (key_id, auth_account_id, public_id, token)
+    values
+      ('kdkv___widget', 'ala___walter', 'ldap__walter', 'ldap__walter'::bytea),
+      ('kdkv___widget', 'ala___warren', 'ldap__warren', 'ldap__warren'::bytea);
+
   end;
   $$;
 
diff --git a/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_children.sql b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_children.sql
new file mode 100644
index 000000000..3ec48aac4
--- /dev/null
+++ b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_children.sql
@@ -0,0 +1,53 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method_children(); type: function; schema: public; owner: -
+--
+
+create function public.auth_ldap_method_children() returns trigger
+    language plpgsql
+    as $$
+declare
+  n integer;
+begin
+  if tg_op = 'insert' then 
+    select into n count(*) from auth_ldap_url where ldap_method_id = new.public_id;
+     if n < 1 then 
+      raise exception 'during % of auth_ldap_method public_id=% must have at least one url, not %',tg_op,new.public_id,n;
+    end if;
+    -- no need for an update or delete check, as regular referential integrity constraints
+    -- and the trigger on `child' will do the job.
+
+    return null;
+  end if;
+end;
+$$;
+
+
+--
+-- name: function auth_ldap_method_children(); type: comment; schema: public; owner: -
+--
+
+comment on function public.auth_ldap_method_children() is 'function used on auth_ldap_method after insert/update initially deferred to ensure each groups search is properly configured when enable_groups is true and use_token_groups is false';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_group_search.sql b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_group_search.sql
new file mode 100644
index 000000000..bbfc9fa7b
--- /dev/null
+++ b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_group_search.sql
@@ -0,0 +1,43 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method_group_search(); type: function; schema: public; owner: -
+--
+
+create function public.auth_ldap_method_group_search() returns trigger
+    language plpgsql
+    as $$
+declare
+  n integer;
+begin
+  if new.enable_groups = true and  new.use_token_groups = false then 
+    select into n count(*) from auth_ldap_group_entry_search where ldap_method_id = new.public_id;
+    if n < 1 then
+      raise exception 'during % of auth_ldap_method public_id=% must have a configured group_dn when enable_groups = true and use_token_groups = false',tg_op,new.public_id;
+    end if;
+  end if;
+  return null;
+end;
+$$;
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url_parent_children.sql b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url_parent_children.sql
new file mode 100644
index 000000000..dcdfd5e30
--- /dev/null
+++ b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url_parent_children.sql
@@ -0,0 +1,57 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_url_parent_children(); type: function; schema: public; owner: -
+--
+
+create function public.auth_ldap_url_parent_children() returns trigger
+    language plpgsql
+    as $$
+declare 
+  n integer;
+begin
+  if tg_op = 'insert' or tg_op = 'update' then 
+    select into n count(*) from auth_ldap_url where ldap_method_id = new.ldap_method_id;
+    if n < 1 then 
+      raise exception 'during % of auth_ldap_url: auth_ldap_method id=% must have at least one url, not %',tg_op,new.ldap_method_id,n;
+    end if;
+  end if;
+  if tg_op = 'update' then 
+      select into n count(*) from auth_ldap_url where ldap_method_id = old.ldap_method_id;
+      if n < 1 then 
+        raise exception 'during % of %: auth_ldap_method id=% must have at least one url, not %',tg_op,tg_table_name,old.ldap_method_id,n;
+      end if;
+  end if;
+
+  return null;
+end;
+$$;
+
+
+--
+-- name: function auth_ldap_url_parent_children(); type: comment; schema: public; owner: -
+--
+
+comment on function public.auth_ldap_url_parent_children() is 'function used on auth_ldap_url after insert/update initially deferred to ensure each auth_ldap_method has at least one auth_ldap_url. unfortunately, it cannot be used on delete since that would make it impossible to delete an ldap auth method, because you would not be able to remove all of its urls';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/insert_auth_ldap_account_subtype.sql b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/insert_auth_ldap_account_subtype.sql
new file mode 100644
index 000000000..708fd92ec
--- /dev/null
+++ b/.schema-diff/funcs_e6229c5a0a271552eeb574eb58e65b684842b200/insert_auth_ldap_account_subtype.sql
@@ -0,0 +1,46 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: insert_auth_ldap_account_subtype(); type: function; schema: public; owner: -
+--
+
+create function public.insert_auth_ldap_account_subtype() returns trigger
+    language plpgsql
+    as $$
+begin
+  select auth_method.scope_id
+    into new.scope_id
+  from auth_method
+  where auth_method.public_id = new.auth_method_id;
+
+  insert into auth_account
+    (public_id, auth_method_id, scope_id)
+  values
+    (new.public_id, new.auth_method_id, new.scope_id)
+  on conflict do nothing;
+
+  return new;
+end;
+  $$;
+
+
+--
+-- postgresql database dump complete
+--
+

Tables

diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account.sql
new file mode 100644
index 000000000..449fc34f7
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account.sql
@@ -0,0 +1,58 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_account; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_account (
+    public_id public.wt_public_id not null,
+    auth_method_id public.wt_public_id not null,
+    scope_id text not null,
+    name public.wt_name,
+    description public.wt_description,
+    create_time public.wt_timestamp,
+    update_time public.wt_timestamp,
+    version public.wt_version,
+    login_name text not null,
+    email public.wt_email,
+    full_name public.wt_full_name,
+    dn text,
+    member_of_groups jsonb,
+    constraint dn_must_not_be_empty check ((length(btrim(dn)) > 0)),
+    constraint login_name_must_be_lowercase check ((lower(btrim(login_name)) = login_name)),
+    constraint login_name_must_not_be_empty check ((length(btrim(login_name)) > 0)),
+    constraint member_of_groups_must_not_be_empty check ((length(btrim((member_of_groups)::text)) > 0))
+);
+
+
+--
+-- name: table auth_ldap_account; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_account is 'auth_ldap_account entries are subtypes of auth_account and represent an ldap account.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map.sql
new file mode 100644
index 000000000..460132975
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map.sql
@@ -0,0 +1,48 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_account_attribute_map; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_account_attribute_map (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    from_attribute text not null,
+    to_attribute text not null,
+    constraint from_attribute_must_be_less_than_1024_chars check ((length(btrim(from_attribute)) < 1024)),
+    constraint from_attribute_must_not_be_empty check ((length(btrim(from_attribute)) > 0)),
+    constraint to_attribute_valid_values check ((lower(to_attribute) = any (array['fullname'::text, 'email'::text])))
+);
+
+
+--
+-- name: table auth_ldap_account_attribute_map; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_account_attribute_map is 'auth_ldap_account_attribute_map entries are the optional attribute maps from custom attributes to the standard attributes of sub, name and email.  there can be 0 or more for each parent ldap auth method.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_bind_credential.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_bind_credential.sql
new file mode 100644
index 000000000..868809008
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_bind_credential.sql
@@ -0,0 +1,51 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_bind_credential; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_bind_credential (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    dn text not null,
+    password bytea not null,
+    password_hmac bytea not null,
+    key_id text not null,
+    constraint dn_too_long check ((length(btrim(dn)) < 2049)),
+    constraint dn_too_short check ((length(btrim(dn)) > 0)),
+    constraint password_hmac_not_empty check ((length(password_hmac) > 0)),
+    constraint password_not_empty check ((length(password) > 0))
+);
+
+
+--
+-- name: table auth_ldap_bind_credential; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_bind_credential is 'auth_ldap_bind_credential entries allow boundary to bind (aka authenticate) using the provided credentials when searching for the user entry used to authenticate.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_certificate.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_certificate.sql
new file mode 100644
index 000000000..75a403cde
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_certificate.sql
@@ -0,0 +1,45 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_certificate; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_certificate (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    certificate bytea not null,
+    constraint certificate_must_not_be_empty check ((length(certificate) > 0))
+);
+
+
+--
+-- name: table auth_ldap_certificate; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_certificate is 'auth_ldap_certificate entries are optional pem encoded x509 certificates. each entry is a single certificate.  an ldap auth method may have 0 or more of these optional x509s.  if an auth method has any cert entries, they are used as trust anchors when connecting to the auth methods ldap provider (instead of the host system cert chain)';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_client_certificate.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_client_certificate.sql
new file mode 100644
index 000000000..ee6b89e1e
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_client_certificate.sql
@@ -0,0 +1,50 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_client_certificate; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_client_certificate (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    certificate bytea not null,
+    certificate_key bytea not null,
+    certificate_key_hmac bytea not null,
+    key_id text not null,
+    constraint certificate_key_hmac_must_not_be_empty check ((length(certificate_key_hmac) > 0)),
+    constraint certificate_key_must_not_be_empty check ((length(certificate_key) > 0)),
+    constraint certificate_must_not_be_empty check ((length(certificate) > 0))
+);
+
+
+--
+-- name: table auth_ldap_client_certificate; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_client_certificate is 'auth_ldap_client_certificate entries contains a client certificate that a auth_ldap_method uses for mtls when connecting to an ldap server. an auth_ldap_method can have 0 or 1 client certificates.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_group_entry_search.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_group_entry_search.sql
new file mode 100644
index 000000000..b13a3f1c2
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_group_entry_search.sql
@@ -0,0 +1,52 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_group_entry_search; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_group_entry_search (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    group_dn text not null,
+    group_attr text,
+    group_filter text,
+    constraint group_attr_too_long check ((length(btrim(group_attr)) < 1025)),
+    constraint group_attr_too_short check ((length(btrim(group_attr)) > 0)),
+    constraint group_dn_too_long check ((length(btrim(group_dn)) < 1025)),
+    constraint group_dn_too_short check ((length(btrim(group_dn)) > 0)),
+    constraint group_filter_too_long check ((length(btrim(group_filter)) < 2049)),
+    constraint group_filter_too_short check ((length(btrim(group_filter)) > 0))
+);
+
+
+--
+-- name: table auth_ldap_group_entry_search; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_group_entry_search is 'auth_ldap_group_entry_search entries specify the required parameters to find the groups a user is a member of';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group.sql
new file mode 100644
index 000000000..81b800b0b
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group.sql
@@ -0,0 +1,50 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_managed_group; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_managed_group (
+    public_id public.wt_public_id not null,
+    auth_method_id public.wt_public_id not null,
+    name public.wt_name,
+    description public.wt_description,
+    create_time public.wt_timestamp,
+    update_time public.wt_timestamp,
+    version public.wt_version,
+    group_names jsonb not null,
+    constraint group_names_must_not_be_empty check ((length(btrim((group_names)::text)) > 0))
+);
+
+
+--
+-- name: table auth_ldap_managed_group; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_managed_group is 'auth_ldap_managed_group entries are subtypes of auth_managed_group and represent an ldap managed group.';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method.sql
new file mode 100644
index 000000000..6c52864ca
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method.sql
@@ -0,0 +1,58 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_method; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_method (
+    public_id public.wt_public_id not null,
+    scope_id public.wt_scope_id not null,
+    name public.wt_name,
+    description public.wt_description,
+    create_time public.wt_timestamp,
+    update_time public.wt_timestamp,
+    version public.wt_version,
+    state text not null,
+    start_tls boolean default false not null,
+    insecure_tls boolean default false not null,
+    discover_dn boolean default false not null,
+    anon_group_search boolean default false not null,
+    upn_domain text,
+    enable_groups boolean default false not null,
+    use_token_groups boolean default false not null,
+    constraint upn_domain_too_long check ((length(btrim(upn_domain)) < 253)),
+    constraint upn_domain_too_short check ((length(btrim(upn_domain)) > 0))
+);
+
+
+--
+-- name: table auth_ldap_method; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_method is 'auth_ldap_method entries are the current ldap auth methods configured for existing scopes';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_state_enm.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_state_enm.sql
new file mode 100644
index 000000000..ed0cba41f
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_state_enm.sql
@@ -0,0 +1,43 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_method_state_enm; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_method_state_enm (
+    name text not null,
+    constraint name_only_predefined_ldap_method_states_allowed check ((name = any (array['inactive'::text, 'active-private'::text, 'active-public'::text])))
+);
+
+
+--
+-- name: table auth_ldap_method_state_enm; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_method_state_enm is 'auth_ldap_method_state_enm entries enumerate the valid auth ldap method states';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url.sql
new file mode 100644
index 000000000..5a3a746c4
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url.sql
@@ -0,0 +1,49 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_url; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_url (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    url text not null,
+    connection_priority integer not null,
+    constraint connection_priority_less_than_one check ((connection_priority >= 1)),
+    constraint url_invalid_protocol check ((url ~ 'ldaps?:\/\/*'::text)),
+    constraint url_too_long check ((length(btrim(url)) < 4000)),
+    constraint url_too_short check ((length(btrim(url)) > 3))
+);
+
+
+--
+-- name: table auth_ldap_url; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_url is 'auth_ldap_url entries specify a connection url an ldap';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_user_entry_search.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_user_entry_search.sql
new file mode 100644
index 000000000..1d194c348
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_user_entry_search.sql
@@ -0,0 +1,53 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+set default_tablespace = '';
+
+set default_table_access_method = heap;
+
+--
+-- name: auth_ldap_user_entry_search; type: table; schema: public; owner: -
+--
+
+create table public.auth_ldap_user_entry_search (
+    create_time public.wt_timestamp,
+    ldap_method_id public.wt_public_id not null,
+    user_dn text,
+    user_attr text,
+    user_filter text,
+    constraint all_fields_are_not_null check ((not (row(user_dn, user_attr, user_filter) is null))),
+    constraint user_attr_too_long check ((length(btrim(user_attr)) < 1025)),
+    constraint user_attr_too_short check ((length(btrim(user_attr)) > 0)),
+    constraint user_dn_too_long check ((length(btrim(user_dn)) < 1025)),
+    constraint user_dn_too_short check ((length(btrim(user_dn)) > 0)),
+    constraint user_filter_too_long check ((length(btrim(user_filter)) < 2049)),
+    constraint user_filter_too_short check ((length(btrim(user_filter)) > 0))
+);
+
+
+--
+-- name: table auth_ldap_user_entry_search; type: comment; schema: public; owner: -
+--
+
+comment on table public.auth_ldap_user_entry_search is 'auth_ldap_user_entry_search entries specify the required parameters to find a user entry before attempting to authenticate the user';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_account.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_account.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_account.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_account_attribute_map.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_account_attribute_map.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_account_attribute_map.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_bind_credential.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_bind_credential.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_bind_credential.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_certificate.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_certificate.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_certificate.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_client_certificate.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_client_certificate.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_client_certificate.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_group_entry_search.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_group_entry_search.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_group_entry_search.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_managed_group.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_managed_group.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_managed_group.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_method.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_method.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_method.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_method_state_enm.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_method_state_enm.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_method_state_enm.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_url.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_url.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_url.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_user_entry_search.sql b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_user_entry_search.sql
new file mode 100644
index 000000000..69197c7ed
--- /dev/null
+++ b/.schema-diff/tables_e6229c5a0a271552eeb574eb58e65b684842b200/public auth_ldap_user_entry_search.sql	
@@ -0,0 +1,22 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- postgresql database dump complete
+--
+

Views

diff --git a/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_member_account.sql b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_member_account.sql
new file mode 100644
index 000000000..7a4505c48
--- /dev/null
+++ b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_member_account.sql
@@ -0,0 +1,54 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group_member_account; type: view; schema: public; owner: -
+--
+
+create view public.auth_ldap_managed_group_member_account as
+ with account(id, group_name) as (
+         select a.public_id,
+            ag.group_name
+           from (public.auth_ldap_account a
+             left join lateral jsonb_array_elements(a.member_of_groups) ag(group_name) on (true))
+        ), groups(create_time, id, group_name) as (
+         select g.create_time,
+            g.public_id,
+            mg.group_name
+           from (public.auth_ldap_managed_group g
+             left join lateral jsonb_array_elements(g.group_names) mg(group_name) on (true))
+        )
+ select distinct groups.create_time,
+    account.id as member_id,
+    groups.id as managed_group_id
+   from account,
+    groups
+  where (account.group_name = groups.group_name);
+
+
+--
+-- name: view auth_ldap_managed_group_member_account; type: comment; schema: public; owner: -
+--
+
+comment on view public.auth_ldap_managed_group_member_account is 'auth_ldap_managed_group_member_account is the join view for managed ldap groups and accounts';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/views_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/auth_managed_group_member_account.sql b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/auth_managed_group_member_account.sql
index a8d779097..e22e7ff93 100644
--- a/.schema-diff/views_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/auth_managed_group_member_account.sql
+++ b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/auth_managed_group_member_account.sql
@@ -24,7 +24,12 @@ create view public.auth_managed_group_member_account as
  select oidc.create_time,
     oidc.managed_group_id,
     oidc.member_id
-   from public.auth_oidc_managed_group_member_account oidc;
+   from public.auth_oidc_managed_group_member_account oidc
+union
+ select ldap.create_time,
+    ldap.managed_group_id,
+    ldap.member_id
+   from public.auth_ldap_managed_group_member_account ldap;
 
 
 --
diff --git a/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/ldap_auth_method_with_value_obj.sql b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/ldap_auth_method_with_value_obj.sql
new file mode 100644
index 000000000..7c6dbe05c
--- /dev/null
+++ b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/ldap_auth_method_with_value_obj.sql
@@ -0,0 +1,70 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: ldap_auth_method_with_value_obj; type: view; schema: public; owner: -
+--
+
+create view public.ldap_auth_method_with_value_obj as
+select
+    null::boolean as is_primary_auth_method,
+    null::public.wt_public_id as public_id,
+    null::public.wt_scope_id as scope_id,
+    null::public.wt_name as name,
+    null::public.wt_description as description,
+    null::public.wt_timestamp as create_time,
+    null::public.wt_timestamp as update_time,
+    null::public.wt_version as version,
+    null::text as state,
+    null::boolean as start_tls,
+    null::boolean as insecure_tls,
+    null::boolean as discover_dn,
+    null::boolean as anon_group_search,
+    null::text as upn_domain,
+    null::boolean as enable_groups,
+    null::boolean as use_token_groups,
+    null::text as urls,
+    null::bytea as certs,
+    null::text as account_attribute_map,
+    null::text as user_dn,
+    null::text as user_attr,
+    null::text as user_filter,
+    null::text as group_dn,
+    null::text as group_attr,
+    null::text as group_filter,
+    null::bytea as client_certificate_key,
+    null::bytea as client_certificate_key_hmac,
+    null::text as client_certificate_key_id,
+    null::bytea as client_certificate_cert,
+    null::text as bind_dn,
+    null::bytea as bind_password,
+    null::bytea as bind_password_hmac,
+    null::text as bind_password_key_id;
+
+
+--
+-- name: view ldap_auth_method_with_value_obj; type: comment; schema: public; owner: -
+--
+
+comment on view public.ldap_auth_method_with_value_obj is 'ldap auth method with its associated value objects (urls, certs, search config, etc)';
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/views_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/whx_user_dimension_source.sql b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/whx_user_dimension_source.sql
index 098022f89..6d8580e67 100644
--- a/.schema-diff/views_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/whx_user_dimension_source.sql
+++ b/.schema-diff/views_e6229c5a0a271552eeb574eb58e65b684842b200/whx_user_dimension_source.sql
@@ -27,65 +27,77 @@ create view public.whx_user_dimension_source as
     coalesce((aa.public_id)::text, 'none'::text) as auth_account_id,
         case
             when (apa.public_id is not null) then 'password auth account'::text
+            when (ala.public_id is not null) then 'ldap auth account'::text
             when (aoa.public_id is not null) then 'oidc auth account'::text
             else 'none'::text
         end as auth_account_type,
         case
             when (apa.public_id is not null) then coalesce(apa.name, 'none'::text)
+            when (ala.public_id is not null) then coalesce((ala.name)::text, 'none'::text)
             when (aoa.public_id is not null) then coalesce((aoa.name)::text, 'none'::text)
             else 'none'::text
         end as auth_account_name,
         case
             when (apa.public_id is not null) then coalesce(apa.description, 'none'::text)
+            when (ala.public_id is not null) then coalesce((ala.description)::text, 'none'::text)
             when (aoa.public_id is not null) then coalesce((aoa.description)::text, 'none'::text)
             else 'none'::text
         end as auth_account_description,
         case
             when (apa.public_id is not null) then 'not applicable'::text
-            when (aoa.public_id is null) then 'none'::text
-            else aoa.subject
+            when (ala.public_id is not null) then ala.login_name
+            when (aoa.public_id is not null) then aoa.subject
+            else 'none'::text
         end as auth_account_external_id,
         case
             when (apa.public_id is not null) then 'not applicable'::text
+            when ((ala.public_id is not null) and (ala.full_name is not null)) then (ala.full_name)::text
             when ((aoa.public_id is not null) and (aoa.full_name is not null)) then (aoa.full_name)::text
             else 'none'::text
         end as auth_account_full_name,
         case
             when (apa.public_id is not null) then 'not applicable'::text
+            when ((ala.public_id is not null) and (ala.email is not null)) then (ala.email)::text
             when ((aoa.public_id is not null) and (aoa.email is not null)) then (aoa.email)::text
             else 'none'::text
         end as auth_account_email,
     coalesce((am.public_id)::text, 'none'::text) as auth_method_id,
         case
             when (apa.public_id is not null) then 'password auth method'::text
+            when (ala.public_id is not null) then 'ldap auth method'::text
             when (aoa.public_id is not null) then 'oidc auth method'::text
             else 'none'::text
         end as auth_method_type,
         case
             when (apm.public_id is not null) then coalesce(apm.name, 'none'::text)
+            when (alm.public_id is not null) then coalesce((alm.name)::text, 'none'::text)
             when (aom.public_id is not null) then coalesce((aom.name)::text, 'none'::text)
             else 'none'::text
         end as auth_method_name,
         case
             when (apm.public_id is not null) then coalesce(apm.description, 'none'::text)
+            when (alm.public_id is not null) then coalesce((alm.description)::text, 'none'::text)
             when (aom.public_id is not null) then coalesce((aom.description)::text, 'none'::text)
             else 'none'::text
         end as auth_method_description,
         case
             when (apa.public_id is not null) then 'not applicable'::text
+            when (alm.public_id is not null) then 'not applicable'::text
             when (aom.public_id is null) then 'none'::text
             else (aom.issuer)::text
         end as auth_method_external_id,
     org.public_id as user_organization_id,
     coalesce(org.name, 'none'::text) as user_organization_name,
     coalesce(org.description, 'none'::text) as user_organization_description
-   from (((((((public.iam_user u
+   from (((((((((public.iam_user u
      left join public.auth_account aa on (((u.public_id)::text = (aa.iam_user_id)::text)))
      left join public.auth_method am on (((aa.auth_method_id)::text = (am.public_id)::text)))
      left join public.auth_password_account apa on (((aa.public_id)::text = (apa.public_id)::text)))
      left join public.auth_password_method apm on (((am.public_id)::text = (apm.public_id)::text)))
      left join public.auth_oidc_account aoa on (((aa.public_id)::text = (aoa.public_id)::text)))
      left join public.auth_oidc_method aom on (((am.public_id)::text = (aom.public_id)::text)))
+     left join public.auth_ldap_account ala on (((aa.public_id)::text = (ala.public_id)::text)))
+     left join public.auth_ldap_method alm on (((am.public_id)::text = (alm.public_id)::text)))
      join public.iam_scope org on (((u.scope_id)::text = (org.public_id)::text)));

Triggers

diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account default_create_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account default_create_time_column.sql
new file mode 100644
index 000000000..be69d267f
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.auth_ldap_account for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account delete_auth_account_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account delete_auth_account_subtype.sql
new file mode 100644
index 000000000..457ead09a
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account delete_auth_account_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account delete_auth_account_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger delete_auth_account_subtype after delete on public.auth_ldap_account for each row execute function public.delete_auth_account_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account immutable_columns.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account immutable_columns.sql
new file mode 100644
index 000000000..a7f323ca0
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_ldap_account for each row execute function public.immutable_columns('public_id', 'auth_method_id', 'scope_id', 'create_time', 'login_name');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account insert_auth_ldap_account_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account insert_auth_ldap_account_subtype.sql
new file mode 100644
index 000000000..19a0efab8
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account insert_auth_ldap_account_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account insert_auth_ldap_account_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_auth_ldap_account_subtype before insert on public.auth_ldap_account for each row execute function public.insert_auth_ldap_account_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account update_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account update_time_column.sql
new file mode 100644
index 000000000..b2530386c
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account update_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account update_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_time_column before update on public.auth_ldap_account for each row execute function public.update_time_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account update_version_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account update_version_column.sql
new file mode 100644
index 000000000..24b3dee12
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account update_version_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account update_version_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_version_column after update on public.auth_ldap_account for each row execute function public.update_version_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map default_create_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map default_create_time_column.sql
new file mode 100644
index 000000000..084c76f55
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account_attribute_map default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.auth_ldap_account_attribute_map for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map immutable_columns.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map immutable_columns.sql
new file mode 100644
index 000000000..f3bee448c
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_account_attribute_map immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_ldap_account_attribute_map for each row execute function public.immutable_columns('ldap_method_id', 'from_attribute', 'to_attribute', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group default_create_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group default_create_time_column.sql
new file mode 100644
index 000000000..d03f187a5
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.auth_ldap_managed_group for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group delete_managed_group_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group delete_managed_group_subtype.sql
new file mode 100644
index 000000000..b176e772f
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group delete_managed_group_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group delete_managed_group_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger delete_managed_group_subtype after delete on public.auth_ldap_managed_group for each row execute function public.delete_managed_group_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group immutable_columns.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group immutable_columns.sql
new file mode 100644
index 000000000..6f701e254
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_ldap_managed_group for each row execute function public.immutable_columns('public_id', 'auth_method_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group insert_managed_group_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group insert_managed_group_subtype.sql
new file mode 100644
index 000000000..c01928eba
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group insert_managed_group_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group insert_managed_group_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_managed_group_subtype before insert on public.auth_ldap_managed_group for each row execute function public.insert_managed_group_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group update_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group update_time_column.sql
new file mode 100644
index 000000000..6b131a93c
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group update_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group update_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_time_column before update on public.auth_ldap_managed_group for each row execute function public.update_time_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group update_version_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group update_version_column.sql
new file mode 100644
index 000000000..d8f3e6cf8
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group update_version_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_managed_group update_version_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_version_column after update on public.auth_ldap_managed_group for each row execute function public.update_version_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method auth_ldap_method_children_tg.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method auth_ldap_method_children_tg.sql
new file mode 100644
index 000000000..9229158c1
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method auth_ldap_method_children_tg.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method auth_ldap_method_children_tg; type: trigger; schema: public; owner: -
+--
+
+create constraint trigger auth_ldap_method_children_tg after insert on public.auth_ldap_method deferrable initially deferred for each row execute function public.auth_ldap_method_children();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method auth_ldap_method_group_search.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method auth_ldap_method_group_search.sql
new file mode 100644
index 000000000..90baf1aa8
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method auth_ldap_method_group_search.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method auth_ldap_method_group_search; type: trigger; schema: public; owner: -
+--
+
+create constraint trigger auth_ldap_method_group_search after insert or update on public.auth_ldap_method deferrable initially deferred for each row execute function public.auth_ldap_method_group_search();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method default_create_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method default_create_time_column.sql
new file mode 100644
index 000000000..26af561d9
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method default_create_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method default_create_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger default_create_time_column before insert on public.auth_ldap_method for each row execute function public.default_create_time();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method delete_auth_method_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method delete_auth_method_subtype.sql
new file mode 100644
index 000000000..90eb1c99f
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method delete_auth_method_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method delete_auth_method_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger delete_auth_method_subtype after delete on public.auth_ldap_method for each row execute function public.delete_auth_method_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method immutable_columns.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method immutable_columns.sql
new file mode 100644
index 000000000..b0812d4ec
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method immutable_columns.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method immutable_columns; type: trigger; schema: public; owner: -
+--
+
+create trigger immutable_columns before update on public.auth_ldap_method for each row execute function public.immutable_columns('public_id', 'scope_id', 'create_time');
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method insert_auth_method_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method insert_auth_method_subtype.sql
new file mode 100644
index 000000000..2c536cc38
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method insert_auth_method_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method insert_auth_method_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger insert_auth_method_subtype before insert on public.auth_ldap_method for each row execute function public.insert_auth_method_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_auth_method_subtype.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_auth_method_subtype.sql
new file mode 100644
index 000000000..b591f9059
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_auth_method_subtype.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method update_auth_method_subtype; type: trigger; schema: public; owner: -
+--
+
+create trigger update_auth_method_subtype before update on public.auth_ldap_method for each row execute function public.update_auth_method_subtype();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_time_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_time_column.sql
new file mode 100644
index 000000000..3ef5ed72e
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_time_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method update_time_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_time_column before update on public.auth_ldap_method for each row execute function public.update_time_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_version_column.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_version_column.sql
new file mode 100644
index 000000000..52dcc1e1b
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method update_version_column.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_method update_version_column; type: trigger; schema: public; owner: -
+--
+
+create trigger update_version_column after update on public.auth_ldap_method for each row execute function public.update_version_column();
+
+
+--
+-- postgresql database dump complete
+--
+
diff --git a/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url auth_ldap_url_children_per_parent_tg.sql b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url auth_ldap_url_children_per_parent_tg.sql
new file mode 100644
index 000000000..2ee91598d
--- /dev/null
+++ b/.schema-diff/triggers_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url auth_ldap_url_children_per_parent_tg.sql	
@@ -0,0 +1,29 @@
+--
+-- postgresql database dump
+--
+
+-- dumped from database version 13.10
+-- dumped by pg_dump version 14.7 (ubuntu 14.7-1.pgdg22.04+1)
+
+set statement_timeout = 0;
+set lock_timeout = 0;
+set idle_in_transaction_session_timeout = 0;
+set client_encoding = 'utf8';
+set standard_conforming_strings = on;
+select pg_catalog.set_config('search_path', '', false);
+set check_function_bodies = false;
+set xmloption = content;
+set client_min_messages = warning;
+set row_security = off;
+
+--
+-- name: auth_ldap_url auth_ldap_url_children_per_parent_tg; type: trigger; schema: public; owner: -
+--
+
+create constraint trigger auth_ldap_url_children_per_parent_tg after insert or delete or update on public.auth_ldap_url deferrable initially deferred for each row execute function public.auth_ldap_url_parent_children();
+
+
+--
+-- postgresql database dump complete
+--
+

Indexes

Unchanged

Constraints

diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map_pkey.sql
new file mode 100644
index 000000000..4d4c8c2c8
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_attribute_map_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_account_attribute_map auth_ldap_account_attribute_map_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_account_attribute_map_pkey primary key (ldap_method_id, to_attribute);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_dn_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_dn_uq.sql
new file mode 100644
index 000000000..fd78fc60a
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_dn_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_account auth_ldap_account_auth_method_id_dn_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_account_auth_method_id_dn_uq unique (auth_method_id, dn);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_login_name_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_login_name_uq.sql
new file mode 100644
index 000000000..add9796af
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_login_name_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_account auth_ldap_account_auth_method_id_login_name_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_account_auth_method_id_login_name_uq unique (auth_method_id, login_name);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_name_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_name_uq.sql
new file mode 100644
index 000000000..445dfc808
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_name_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_account auth_ldap_account_auth_method_id_name_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_account_auth_method_id_name_uq unique (auth_method_id, name);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_public_id_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_public_id_uq.sql
new file mode 100644
index 000000000..929d63b57
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_auth_method_id_public_id_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_account auth_ldap_account_auth_method_id_public_id_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_account_auth_method_id_public_id_uq unique (auth_method_id, public_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_pkey.sql
new file mode 100644
index 000000000..e17a55faa
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_account_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_account auth_ldap_account_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_account_pkey primary key (public_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_bind_credential_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_bind_credential_pkey.sql
new file mode 100644
index 000000000..8cca7aef5
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_bind_credential_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_bind_credential auth_ldap_bind_credential_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_bind_credential_pkey primary key (ldap_method_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_certificate_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_certificate_pkey.sql
new file mode 100644
index 000000000..d477ca2cb
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_certificate_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_certificate auth_ldap_certificate_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_certificate_pkey primary key (ldap_method_id, certificate);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_client_certificate_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_client_certificate_pkey.sql
new file mode 100644
index 000000000..aa700e691
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_client_certificate_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_client_certificate auth_ldap_client_certificate_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_client_certificate_pkey primary key (ldap_method_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_group_entry_search_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_group_entry_search_pkey.sql
new file mode 100644
index 000000000..7ffc4fdb1
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_group_entry_search_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_group_entry_search auth_ldap_group_entry_search_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_group_entry_search_pkey primary key (ldap_method_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_auth_method_id_name_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_auth_method_id_name_uq.sql
new file mode 100644
index 000000000..a58d06185
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_auth_method_id_name_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_managed_group auth_ldap_managed_group_auth_method_id_name_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_managed_group_auth_method_id_name_uq unique (auth_method_id, name);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_pkey.sql
new file mode 100644
index 000000000..5a67d4d33
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_managed_group_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_managed_group auth_ldap_managed_group_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_managed_group_pkey primary key (public_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_pkey.sql
new file mode 100644
index 000000000..288a9047c
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_method auth_ldap_method_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_method_pkey primary key (public_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_scope_id_name_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_scope_id_name_uq.sql
new file mode 100644
index 000000000..228794992
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_scope_id_name_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_method auth_ldap_method_scope_id_name_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_method_scope_id_name_uq unique (scope_id, name);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_scope_id_public_id_uq.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_scope_id_public_id_uq.sql
new file mode 100644
index 000000000..9c02b192f
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_scope_id_public_id_uq.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_method auth_ldap_method_scope_id_public_id_uq; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_method_scope_id_public_id_uq unique (scope_id, public_id);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_state_enm_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_state_enm_pkey.sql
new file mode 100644
index 000000000..48704bba4
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_method_state_enm_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_method_state_enm auth_ldap_method_state_enm_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_method_state_enm_pkey primary key (name);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url_pkey.sql
new file mode 100644
index 000000000..fb7ae9571
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_url_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_url auth_ldap_url_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_url_pkey primary key (ldap_method_id, connection_priority);
diff --git a/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_user_entry_search_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_user_entry_search_pkey.sql
new file mode 100644
index 000000000..bfa75576e
--- /dev/null
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/auth_ldap_user_entry_search_pkey.sql
@@ -0,0 +1,2 @@
+-- name: auth_ldap_user_entry_search auth_ldap_user_entry_search_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_user_entry_search_pkey primary key (ldap_method_id);
diff --git a/.schema-diff/constraints_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/credential_pkey.sql b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/credential_pkey.sql
index 9b5fb76e2..a3f221660 100644
--- a/.schema-diff/constraints_bbbd6b1e51230b68d5ec5be2a69a3381c41e802b/credential_pkey.sql
+++ b/.schema-diff/constraints_e6229c5a0a271552eeb574eb58e65b684842b200/credential_pkey.sql
@@ -1,3 +1,5 @@
+-- name: auth_ldap_bind_credential auth_ldap_bind_credential_pkey; type: constraint; schema: public; owner: -
+    add constraint auth_ldap_bind_credential_pkey primary key (ldap_method_id);
 -- name: auth_password_credential auth_password_credential_pkey; type: constraint; schema: public; owner: -
     add constraint auth_password_credential_pkey primary key (private_id);
 -- name: credential credential_pkey; type: constraint; schema: public; owner: -

@jimlambrt jimlambrt merged commit 86192f7 into main Mar 15, 2023
@jimlambrt jimlambrt deleted the auth-ldap-llb branch March 15, 2023 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanbrandhorst johanbrandhorst johanbrandhorst approved these changes

@Dan-Heath Dan-Heath Dan-Heath approved these changes

Assignees
No one assigned
Labels
api/authmethods api core/auth core/daemon core/db core/gen core/proto core/sql core docs/concepts website
Projects
None yet
Milestone
0.13.x
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jimlambrt @johanbrandhorst @Dan-Heath