LDAP Parameters

There are several parameters that you need to configure for LDAP authentication.

General LDAP Parameters

Use the following parameters to configure for either LDAP bind or LDAP bind and search:

Parameter name Description
host

LDAP server URI in the following format:

schema://host:optional_port

schema is either ldap (for LDAP/Active Directory) or ldaps (for secure LDAP/Active Directory).
starttls

Optional parameter that defines StartTLS behavior:

  • soft—If the server does not support TLS, continue authenticating the user in plain text. This value is equivalent to the -Z option in ldapsearch.

  • hard—If server does not support TLS, authentication should fail. This value is equivalent to the -ZZ in ldapsearch.

    Using ldaps is equivalent to starttls='hard'. However, if you use them together in the same connection string, authentication fails and the following error appears:

    FATAL 3846: LDAP authentication failed for user "<user_name>"
ldap_continue

When set to yes, this parameter allows a connection retry when a user not found error occurs during the previous connection attempt.

For any other failure error, the system automatically retries the connection.

LDAP Bind Parameters

Use the following parameters when authenticating with LDAP bind to create the bind name string. For more information see Workflow for Configuring LDAP Bind.

Parameter name Description
binddn_prefix First half of the bind string.
binddn_suffix

Second half of bind string.

You must use the binddn_prefix and binddn_suffix together.

In the following example, the bind name becomes cn=<user_login_name>;ou=example users;dc=example;dc=com.

=> ALTER AUTHENTICATION auth_method_name SET binddn_prefix='cn=',binddn_suffix=';
   ou=example users;dc=example;dc=com';
domain_prefix

The domain where to find the user name.

In the following example, the bind name is example/<user_login_name>

ALTER AUTHENTICATION auth_method_name SET domain_prefix='Example';
email_suffix

The part of an email address that comes after the @ sign.

    In the following example, the bind name becomes <user_login_name>@example.com.

    => ALTER AUTHENTICATION auth_method_name SET email_suffix='Example.com';

To create the bind name string, you must provide one of the following:

  • Both binddn_prefix and binddn_suffix
  • domain_name
  • email_suffix

Otherwise, Vertica performs a bind and search operation instead of a bind operation.

LDAP Search and Bind Parameters

Use the following parameters when authenticating with LDAP search and bind. For more information see Workflow for Configuring LDAP Search and Bind.

Parameter name Description
basedn Base DN for search.
binddn Bind DN. Domain name to find in the directory search.
bind_password Bind password. Required if you specify a binddn.
search_attribute Optional attribute to search for on the LDAP server.

The following example shows how to set these three attributes. In this example, it sets

  • binddn to cn=Manager,dc=example,dc=com
  • bind_password to secret
  • search_attribute to cn
=> ALTER AUTHENTICATION auth_method_name SET host='ldap://example13',
basedn='dc=example,dc=com',binddn='cn=Manager,dc=example,dc=com',
bind_password='secret',search_attribute='cn';

The binddn and bind_password parameters are optional. If you omit them, Vertica performs an anonymous search.