TLS for LDAP Link
Vertica establishes a connection to an LDAP server in two contexts, and each context has a corresponding TLS CONFIGURATION that controls if each connection should use TLS:
- LDAPLink: using the LDAPLink service or its dry run functions to synchronize users and groups between Vertica and the LDAP server.
- LDAPAuth: when a user with an
ldapauthentication method attempts to log into Vertica, Vertica attempts to bind the user to a matching user in the LDAP server. If the bind succeeds, Vertica allows the user to log in.
Query TLS_CONFIGURATIONS to view existing TLS CONFIGURATIONs:
=> SELECT * FROM tls_configurations WHERE name IN ('LDAPLink', 'LDAPAuth'); name | owner | certificate | ca_certificate | cipher_suites | mode ----------+---------+-------------+----------------+---------------+---------- LDAPLink | dbadmin | client_cert | ldap_ca | | VERIFY_CA LDAPAuth | dbadmin | client_cert | ldap_ca | | DISABLE (2 rows)
This page covers the LDAPLink context. For details on the LDAPAuth context, see TLS for LDAP Authentication.
Configuring LDAP Link TLS
Vertica uses the LDAP Link service to retrieve users and groups from the LDAP server and to create corresponding users and roles in the database. To configure TLS for LDAP Link and its dry run functions, use the following procedure.
For details on key and certificate generation, see Generating TLS Certificates and Keys.
If you want Vertica to verify the LDAP server's certificate before establishing the connection, generate or import a CA certificate and add it to the LDAPLink TLS CONFIGURATION.
For example, to import the existing CA certificate
If your LDAP server verifies client certificates, you must generate or import a client certificate and its key and add it to the LDAPLink TLS CONFIGURATION. Vertica presents this certificate to the LDAP server for verification by its CA.
For example, to import the existing certificate
client.crt(signed by the imported CA) and key
Enable TLS or LDAPS (the exact protocol used depends on the value of
hostin the AUTHENTICATION object) by setting the TLSMODE to one of the following.
TRY_VERIFYor higher requires a CA certificate:
ENABLE: Enables TLS. Vertica does not check the LDAP server's certificate.
TRY_VERIFY: Establishes a TLS connection if one of the following is true:
- The LDAP server presents a valid certificate.
- The LDAP server doesn't present a certificate.
VERIFY_CA: Connection succeeds if Vertica verifies that the LDAP server's certificate is from a trusted CA. Using this TLSMODE forces all connections without a certificate to use plaintext.
VERIFY_FULL: Connection succeeds if Vertica verifies that the LDAP server's certificate is from a trusted CA and the
cn(Common Name) or
subjectAltNameattribute matches the hostname or IP address of the LDAP server.
cnis used for the username, so
subjectAltNamemust match the hostname or IP address of the LDAP server.
- Set the LDAP Link Parameters according to your use case.
=> \set ldap_ca '\''`cat ldap_ca.crt`'\'' => CREATE CA CERTIFICATE ldap_ca AS :ldap_ca; CREATE CERTIFICATE
Then, to add the
ldap_ca CA certificate to LDAPLink:
ALTER TLS CONFIGURATION LDAPLink ADD CA CERTIFICATES ldap_ca;
=> \set client_key '\''`cat client.key`'\'' => CREATE KEY client_key TYPE 'RSA' AS :client_key; CREATE KEY => \set client_cert '\''`cat client.crt`'\'' => CREATE CERTIFICATE client_cert AS :client_cert SIGNED BY ldap_ca KEY client_key; CREATE CERTIFICATE
Then, to add
client_cert to LDAPLink:
=> ALTER TLS CONFIGURATION LDAPLink CERTIFICATE client_cert;
=> ALTER TLS CONFIGURATION LDAPLink TLSMODE 'verify_ca'; ALTER TLS CONFIGURATION