TLS for LDAP Link

Vertica establishes a connection to an LDAP server in two contexts, and each context has a corresponding TLS CONFIGURATION that controls if each connection should use TLS:

  1. LDAPLink: using the LDAPLink service or its dry run functions to synchronize users and groups between Vertica and the LDAP server.
  2. LDAPAuth: when a user with an ldap authentication method attempts to log into Vertica, Vertica attempts to bind the user to a matching user in the LDAP server. If the bind succeeds, Vertica allows the user to log in.

Query TLS_CONFIGURATIONS to view existing TLS CONFIGURATIONs:

=> SELECT * FROM tls_configurations WHERE name IN ('LDAPLink', 'LDAPAuth');
   name   |  owner  | certificate | ca_certificate | cipher_suites |  mode
----------+---------+-------------+----------------+---------------+----------
 LDAPLink | dbadmin | client_cert | ldap_ca        |               | VERIFY_CA
 LDAPAuth | dbadmin | client_cert | ldap_ca        |               | DISABLE
(2 rows)

This page covers the LDAPLink context. For details on the LDAPAuth context, see TLS for LDAP Authentication.

Configuring LDAP Link TLS

Vertica uses the LDAP Link service to retrieve users and groups from the LDAP server and to create corresponding users and roles in the database. To configure TLS for LDAP Link and its dry run functions, use the following procedure.

For details on key and certificate generation, see Generating TLS Certificates and Keys.

  1. If you want Vertica to verify the LDAP server's certificate before establishing the connection, generate or import a CA certificate and add it to the LDAPLink TLS CONFIGURATION.

    For example, to import the existing CA certificate LDAP_CA.crt:

    2. => \set ldap_ca '\''`cat ldap_ca.crt`'\''
=> CREATE CA CERTIFICATE ldap_ca AS :ldap_ca;
CREATE CERTIFICATE

    Then, to add the ldap_ca CA certificate to LDAPLink:

    ALTER TLS CONFIGURATION LDAPLink ADD CA CERTIFICATES ldap_ca;

  2. If your LDAP server verifies client certificates, you must generate or import a client certificate and its key and add it to the LDAPLink TLS CONFIGURATION. Vertica presents this certificate to the LDAP server for verification by its CA.

    For example, to import the existing certificate client.crt (signed by the imported CA) and key client.key:

    3. => \set client_key '\''`cat client.key`'\''
=> CREATE KEY client_key TYPE 'RSA' AS :client_key;
CREATE KEY

=> \set client_cert '\''`cat client.crt`'\''
=> CREATE CERTIFICATE client_cert AS :client_cert SIGNED BY ldap_ca KEY client_key;
CREATE CERTIFICATE

    Then, to add client_cert to LDAPLink:

    => ALTER TLS CONFIGURATION LDAPLink CERTIFICATE client_cert;

  3. Enable TLS or LDAPS (the exact protocol used depends on the value of host in the AUTHENTICATION object) by setting the TLSMODE to one of the following. TRY_VERIFY or higher requires a CA certificate:

    • ENABLE: Enables TLS. Vertica does not check the LDAP server's certificate.
    • TRY_VERIFY: Establishes a TLS connection if one of the following is true:
      • The LDAP server presents a valid certificate.
      • The LDAP server doesn't present a certificate.
      If the LDAP server presents an invalid certificate, a plaintext connection is used.
    • VERIFY_CA: Connection succeeds if Vertica verifies that the LDAP server's certificate is from a trusted CA. Using this TLSMODE forces all connections without a certificate to use plaintext.
    • VERIFY_FULL: Connection succeeds if Vertica verifies that the LDAP server's certificate is from a trusted CA and the cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the LDAP server.

      The cn is used for the username, so subjectAltName must match the hostname or IP address of the LDAP server.

    4. For example:

    => ALTER TLS CONFIGURATION LDAPLink TLSMODE 'verify_ca';
ALTER TLS CONFIGURATION
  4. Set the LDAP Link Parameters according to your use case.