Vertica Analytics Platform Version 9.2.x Documentation

Using LDAP Over SSL/TLS

Vertica supports Transport Layer Security (TLS) for client authentication.

The terms SSL and TLS are often used interchangeably. TLS is the successor to SSL and offers greater security. The original SSL standard was renamed TLS at the time it became open source. The introduction of TLS began with version 1, which is essentially equal to SSL 3. You use openssl commands to create certificates and keys and TLS syntax to create an authentication method.

For more information see the Information Security website.

You use ALTER AUTHENTICATION to specify LDAP and SSL/TLS parameters. If you specify a host URL that starts with ldaps, the Vertica server authenticates using SSL/TLS on the specified port or on the secure LDAPS port (636).

ldaps://abc.dc.com

If the LDAP server does not support SSL on that port, authentication fails.

If you specify a host URL that starts with ldap and set the LDAP starttls parameter, the Vertica server sends a StartTLS request. This request determines if the LDAP server supports TLS on the specified port or on the default LDAP port (389).

=> ALTER AUTHENTICATION Ldap1 SET host='ldaps://abc.dc.com', binddn_prefix='CN=', 
binddn_suffix=',OU=Unit2,DC=dc,DC=com', basedn='dc=DC,dc=com',
tls_cacert='/home/dc.com.ca.cer', tls_reqcert='never';

If the LDAP server does not support TLS on that port, the result depends on the value of the starttls parameter:

  • starttls = hard: The Vertica server terminates the authentication process.
  • starttls = soft: The Vertica server proceeds with the authentication but does not use TLS.

To configure LDAP over SSL/TLS, use the following configuration parameters:

Parameter Name Description
TLS_REQCERT
  • hard—If the client does not provide a certificate, or provides an invalid certificate, it cannot connect. This is the default behavior.
  • never—The client does not request or verify a certificate.
  • allow—If the client does not provide a certificate or provides an invalid certificate, it can connect anyway.
  • try—If the client does not provide a certificate, they can connect. If the client provides an invalid certificate, they cannot connect.
  • TLS_CADIR

    Path to the folder with the CA certificates. For example:

    ALTER AUTHENTICATION Ldap1 SET TLS_CADIR ='/scratch_b/qa/vertica/QA/VT_Scenario/V_SEC/';
    TLS_CACERT

    Path to the CA certificate. For example:

    ALTER AUTHENTICATION Ldap1 SET TLS_CACERT ='/scratch_b/qa/vertica/QA/VT_Scenario/V_SEC/dc.com.ca.cer';

    If you do not provide one or more of these parameters, the LDAP server checks to see if the LDAPNOINIT environment variable points to the ldap.conf file. If it does, the server uses the parameters specified in the ldap.conf file. If the LDAP server cannot find the ldap.conf file, authentication fails.

    The following example shows how to specify the TLS parameters and the LDAP parameters when configuring LDAP over SSL/TLS:

    => CREATE AUTHENTICATION LDAP1 METHOD 'ldap' HOST :clientIP = '172.16.65.177';
    => GRANT AUTHENTICATION ldap1 TO user1;
    => ALTER AUTHENTICATION Ldap1 SET host='ldaps://abc.dc.com', binddn_prefix='CN=', 
    binddn_suffix=',OU=Unit2,DC=dc,DC=com', basedn='dc=DC,dc=com',
    tls_cacert='/home/dc.com.ca.cer', tls_reqcert='never';