LDAP Parameters

There are several parameters that you need to configure for LDAP authentication.

General LDAP Parameters

Use the following parameters to configure for either LDAP bind or LDAP bind and search:

Parameter name Description
host

LDAP server URI in the following format:

schema://host:optional_port

schema is either ldap (for LDAP/Active Directory) or ldaps (for secure LDAP/Active Directory).

starttls

Optional parameter that defines StartTLS behavior:

  • soft—If the server does not support TLS, continue authenticating the user in plain text. This value is equivalent to the -Z option in ldapsearch.
  • hard—If server does not support TLS, authentication should fail. This value is equivalent to the -ZZ in ldapsearch.

    Using ldaps is equivalent to starttls='hard'. However, if you use them together in the same connection string, authentication fails and the following error appears:

    FATAL 3846: LDAP authentication failed for user "<user_name>"
ldap_continue

When set to yes, this parameter allows a connection retry when a user not found error occurs during the previous connection attempt.

For any other failure error, the system automatically retries the connection.

LDAP Bind Parameters

The following parameters create a bind name string, which specifies and uniquely identifies a user to the LDAP server. For details, see Workflow for Configuring LDAP Bind.

To create a bind name string, you must set one (and only one) of the following:

  • Both binddn_prefix and binddn_suffix (must be set together)
  • domain_prefix
  • email_suffix

For example, if you set binddn_prefix and binddn_suffix, you cannot also set email_suffix. Conversely, if you set email_suffix, you cannot set binddn_prefix and binddn_suffix.

If you do not set a bind parameter, Vertica performs bind and search operations instead of a bind operation.

The following examples use the authentication record v_ldap:

=> CREATE AUTHENTICATION v_ldap METHOD 'ldap' HOST '10.0.0.0/23';
Parameter name Description
binddn_prefix

First half of the bind string. If you set this parameter, you must also set binddn_suffix.

For example, to construct the bind name cn=exampleusername,cn=Users,dc=ExampleDomain,dc=com:

=> ALTER AUTHENTICATION v_ldap SET
    binddn_prefix='cn=', binddn_suffix=',cn=Users,dc=ExampleDomain,dc=com';
binddn_suffix

Second half of bind string.

If you set this parameter, you must also set binddn_prefix.

For example, to construct the bind name cn=exampleusername,ou=ExampleUsers,dc=example,dc=com:

=> ALTER AUTHENTICATION v_ldap SET
    binddn_prefix='cn=', binddn_suffix=',ou=OrgUsers,dc=example,dc=com';
domain_prefix

The domain that contains the user.

For example, to construct the bind name Example\exampleusername:

=> ALTER AUTHENTICATION v_ldap SET domain_prefix='Example';
email_suffix

The email domain.

For example, to construct the bind name exampleusername@example.com

=> ALTER AUTHENTICATION v_ldap SET email_suffix='example.com';

LDAP Search and Bind Parameters

Use the following parameters when authenticating with LDAP search and bind. For more information see Workflow for Configuring LDAP Search and Bind.

Parameter name Description
basedn Base DN for search.
binddn Bind DN. Domain name to find in the directory search.
bind_password Bind password. Required if you specify a binddn.
search_attribute Optional attribute to search for on the LDAP server.

The following example shows how to set these three attributes. In this example, it sets

  • binddn to cn=Manager,dc=example,dc=com
  • bind_password to secret
  • search_attribute to cn
=> ALTER AUTHENTICATION auth_method_name SET host='ldap://example13',
basedn='dc=example,dc=com',binddn='cn=Manager,dc=example,dc=com',
bind_password='secret',search_attribute='cn';

The binddn and bind_password parameters are optional. If you omit them, Vertica performs an anonymous search.