LDAP Authentication Parameters

There are several parameters that you need to configure for LDAP authentication.

General LDAP Parameters

Use the following parameters to configure for either LDAP bind or LDAP bind and search:

Parameter name Description
host

LDAP server URL in the following format:

schema://host:optional_port

Where schema is one of the following:

  • ldap: The connection between Vertica and the LDAP server uses plaintext if TLSMODE of LDAPAuth is DISABLE. Set TLSMODE to ENABLE or higher for StartTLS (LDAP over TLS).
  • ldaps: If the TLSMODE of LDAPAuth is ENABLE or higher, the connection between Vertica and the LDAP server uses LDAPS.
ldap_continue

When set to yes, this parameter allows a connection retry when a user not found error occurs during the previous connection attempt.

For any other failure error, the system automatically retries the connection.

starttls

Whether to request the connection between Vertica and the LDAP server during user authentication to be upgraded to TLS. You must configure the LDAPAuth TLS Configuration before using this parameter.

starttls can be set to one of the following:

  • soft: If the server does not support TLS, use a plaintext connection. This value is equivalent to the -Z option in ldapsearch. If you use soft, Vertica ignores the certificate verification policies of the TLSMODE in the LDAPAuth TLS configuration.
  • hard: If the LDAP server does not support TLS, reject the connection. This value is equivalent to the -ZZ in ldapsearch.

    Using ldaps is equivalent to starttls='hard'. However, if you use them together in the same connection string, authentication fails and the following error appears:

    FATAL 2248: Authentication failed for username "<user_name>"

If starttls is not set, whether TLS is requested and required depends on the value of the TLSMODE of the LDAPAuth TLS Configuration.

LDAP Bind Parameters

The following parameters create a bind name string, which specifies and uniquely identifies a user to the LDAP server. For details, see Workflow for Configuring LDAP Bind.

To create a bind name string, you must set one (and only one) of the following:

  • Both binddn_prefix and binddn_suffix (must be set together)
  • domain_prefix
  • email_suffix

For example, if you set binddn_prefix and binddn_suffix, you cannot also set email_suffix. Conversely, if you set email_suffix, you cannot set binddn_prefix and binddn_suffix.

If you do not set a bind parameter, Vertica performs bind and search operations instead of a bind operation.

The following examples use the authentication record v_ldap:

=> CREATE AUTHENTICATION v_ldap METHOD 'ldap' HOST '10.0.0.0/23';
Parameter name Description
binddn_prefix

First half of the bind string. If you set this parameter, you must also set binddn_suffix.

For example, to construct the bind name cn=exampleusername,cn=Users,dc=ExampleDomain,dc=com:

=> ALTER AUTHENTICATION v_ldap SET
    binddn_prefix='cn=', binddn_suffix=',cn=Users,dc=ExampleDomain,dc=com';
binddn_suffix

Second half of bind string.

If you set this parameter, you must also set binddn_prefix.

For example, to construct the bind name cn=exampleusername,ou=ExampleUsers,dc=example,dc=com:

=> ALTER AUTHENTICATION v_ldap SET
    binddn_prefix='cn=', binddn_suffix=',ou=OrgUsers,dc=example,dc=com';
domain_prefix

The domain that contains the user.

For example, to construct the bind name Example\exampleusername:

=> ALTER AUTHENTICATION v_ldap SET domain_prefix='Example';
email_suffix

The email domain.

For example, to construct the bind name exampleusername@example.com

=> ALTER AUTHENTICATION v_ldap SET email_suffix='example.com';

LDAP Search and Bind Parameters

Use the following parameters when authenticating with LDAP search and bind. For more information see Workflow for Configuring LDAP Search and Bind.

Parameter name Description
basedn Base DN for search.
binddn Bind DN. Domain name to find in the directory search.
bind_password Bind password. Required if you specify a binddn.
search_attribute Optional attribute to search for on the LDAP server.

The following example shows how to set these three attributes. In this example, it sets

  • binddn to cn=Manager,dc=example,dc=com
  • bind_password to secret
  • search_attribute to cn
=> ALTER AUTHENTICATION auth_method_name SET host='ldap://example13',
basedn='dc=example,dc=com',binddn='cn=Manager,dc=example,dc=com',
bind_password='secret',search_attribute='cn';

The binddn and bind_password parameters are optional. If you omit them, Vertica performs an anonymous search.