Workflow for Configuring LDAP Bind

To configure your Vertica database to authenticate clients using LDAP bind, follow these steps:

1. Obtain a service account. For information see the LDAP product documentation. You cannot use the service account in the connection parameters for LDAP bind.

2. Compare the user's LDAP account name to their Vertica username. For example, if John Smith's Active Directory (AD) sAMAccountName = jsmith, his Vertica username must also be jsmith.

   However, the LDAP account does not have to match the database user name, as shown in the following example:

   => CREATE USER r1 IDENTIFIED BY 'password';
   => CREATE AUTHENTICATION ldap1  METHOD 'ldap' HOST '172.16.65.177';
   => ALTER AUTHENTICATION ldap1 SET HOST=
      'ldap://172.16.65.10',basedn='dc=dc,dc=com',binddn_suffix=',ou=unit2,dc=dc,dc=com',binddn_prefix='cn=use';
   => GRANT AUTHENTICATION ldap1 TO r1;

   \! ${TARGET}/bin/vsql -p $PGPORT -U r1 -w $LDAP_USER_PASSWD -h ${HOSTNAME} -c 
      "select user_name, client_authentication_name from sessions;"
    user_name | client_authentication_name
   -----------+----------------------------
    r1        | ldap
   (1 row)

3. Run ldapsearch from a Vertica node against your LDAP or AD server. Verify the connection to the server and identify the values of relevant fields. Running ldapsearch helps you build the client authentication string needed to configure LDAP authentication.

   In the following example, ldapsearch returns the CN, DN, and sAMAccountName fields (if they exist) for any user whose CN contains the username jsmith. This search succeeds only for LDAP servers that allow anonymous binding:

   $ ldapsearch -x -h 10.10.10.10 -b "ou=Vertica Users,dc=CompanyCorp,dc=com" 
   '(cn=jsmith*)' cn dn uid sAMAccountName

   ldapsearch returns the following results. The relevant information for LDAP bind is in bold:

   # extended LDIF
   #
   # LDAPv3
   # base <ou=Vertica Users,dc=CompanyCorp,dc=com> with scope subtree
   # filter: (cn=jsmith*)
   # requesting: cn dn uid sAMAccountName
   #
   # jsmith, Users, CompanyCorp.com
   dn:cn=jsmith,ou=Vertica Users,dc=CompanyCorp,dc=com
   cn: jsmith
   uid: jsmith
   # search result
   search: 2
   result: 0 Success
   # numResponses: 2
   # numEntries: 1

4. Create a new authentication record based on the information from ldapsearch. In the ldapsearch entry, the CN is username jsmith, so you do not need to set it. Vertica automatically sets the CN to the username of the user who is trying to connect. Vertica uses that CN to bind against the LDAP server.

   => CREATE AUTHENTICATION v_ldap_bind METHOD 'ldap' HOST '0.0.0.0/0';
   => GRANT AUTHENTICATION v_ldap_bind TO public;
   => ALTER AUTHENTICATION v_ldap_bind SET 
   host='ldap://10.10.10.10/',
   basedn='DC=CompanyCorp,DC=com',      
   binddn_prefix='cn=',
   binddn_suffix=',OU=Vertica Users,DC=CompanyCorp,DC=com';

For more information see LDAP Bind Parameters