LDAP Link Parameters

Use LDAP Link parameters to determine:

LDAP Link operations, such as enabling or disabling LDAP Link and how often to perform replication
Authentication parameters, including SSL authentication parameters
Users and groups that inherit unowned objects
How to resolve conflicts

Set LDAP Link Parameters

This example shows how you can set:

The URL of the LDAP server (LDAPLinkURL) and
The base DN from where to start replication (LDAPLinkSearchBase)

You also see how to set the LDAP Link Bind authentication parameters (LDAPLinkBindDN and LDAPLinkBindPswd) and enables LDAP Link (LDAPLinkOn).

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkURL='ldap://10.60.55.128',
LDAPLinkSearchBase='dc=corp,dc=com',LDAPLinkBindDN='dc=corp,dc=com',LDAPLinkBindPswd='password';

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkOn = '1';

General and Connection Parameters

Parameter	Description
LDAPLinkOn	Enables or disables LDAP Link. Valid Values: 0—LDAP Link disabled 1—LDAP Link enabled Default value: 0
LDAPLinkURL	The LDAP server URL. Example: SET PARAMETER LDAPLinkURL='ldap://glw2k8-64.dc.com';
LDAPLinkInterval	The time interval, in seconds, by which the LDAP Server and Vertica server synchronize. Default Value: 86400 (one day).
LDAPLinkFirstInterval	The first interval, in seconds, for LDAP/Vertica synchronization after the clerk node joins the cluster. Default Value: 120
LDAPLinkRetryInterval	The time, in seconds, the system waits to retry a failed synchronization. Default Value: 10
LDAPLinkRetryNumber	The number of retry attempts if synchronization failed. Default Value: 10.
LDAPLinkSearchBase	The base `dn` from where to start replication. Example: SET PARAMETER LDAPLinkSearchBase='ou=vertica,dc=mycompany,dc=com'; Vertica recommends using a separate OU for database users.
LDAPLinkSearchTimeout	The timeout length, in seconds, for the LDAP search operation during an LDAP Link Service run. Default Value: 10
LDAPLinkScope	Indicates what dn level to replicate. Valid Values: sub—Replicate entire subtree under baseDN one—Replicate to one level under baseDN base —Replicate only the baseDN level If you decrease the scope (for example, `sub` to `one`), some users may not be recognized during the next synchronization. Default Value: `sub`
LDAPLinkFilterUser	Determines how to filter users to be replicated. Default Value: "(objectClass=inetOrgPerson)"
LDAPLinkFilterGroup	Determines how to filter groups to be replicated. Default Value: "(objectClass=groupofnames)"
LDAPLinkGroupName	[Optional] The LDAP field to use when creating a role name in Vertica. Default Value: `cn`
LDAPLinkGroupMembers	The LDAP group that identifies the members of an LDAP group. This attribute returns a Fully Qualified Domain Name (FQDN). Default Value: `member`
LDAPLinkUserName	The LDAP field to use when creating a user name in Vertica.

Authentication Parameters

Parameter	Description
LDAPLinkBindDN	The LDAP Bind DN used for authentication. Example: SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';
LDAPLinkBindPswd	The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user. Example: SET PARAMETER LDAPLinkBindPswd='password';

Parameter

Description

LDAPLinkBindDN

The LDAP Bind DN used for authentication.

Example:

SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';

LDAPLinkBindPswd

The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user.

Example:

SET PARAMETER LDAPLinkBindPswd='password';

TLS Authentication Parameters

Parameter	Description
LDAPLinkStartTLS	[Optional] Specifies whether or not to use the StartTLS operation during bind. You can only use this parameter if the LDAP server's URL is "ldap://..." (not "ldaps://..." Valid Values: 0 - Do not use starttls 1 - Use starttls Default Value: 0
LDAPLinkTLSReqCert	[Optional] Specifies how Vertica behaves when verifying the LDAP server's certificate when using TLS. The connection between Vertica and the LDAP server will only succeed if conditions for the specified value are met. Valid Values: hard: LDAP server must provide a valid certificate. allow: LDAP server does not have to provide a certificate. try: LDAP server must either provide a valid certificate or not provide one at all. never: No requirements (Vertica does not request the LDAP server's certificate). For details, see Using LDAP Over TLS. Default Value: allow
LDAPLinkTLSCACert	[Optional] The path to a CA certificate.
LDAPLinkTLSCADir	[Optional] The path to the directory containing CA certificates.

Miscellaneous Parameters

Parameter	Description
LDAPLinkConflictPolicy	Determines how to resolve a user conflict. Valid Values: IGNORE—Ignores the incoming LDAP user and maintains the existing Vertica user. MERGE—Converts the existing user to an LDAP user. Default Value: MERGE
LDAPLinkStopIfZeroUsers	Enables or disables the shutdown of LDAPLink synchronization if no users are found in LDAP. Valid values: 0 - Disables the LDAPLink synchronization shutdown if no users are found. This may lead to inadvertent dropping of Vertica users. 1 - Enables the LDAPLink synchronization shutdown if no users are found. This prevents inadvertent dropping of Vertica users.
LDAPLinkDryRun	[Optional] Tests the connection to the LDAP server and logs the response without doing a synchronization. Also tests if parameters are correctly set. Note that this parameter is not the preferred dry run method. Instead, the LDAP_Link_Dryrun family of metafunctions provides more granular control over configurations and is the preferred way to perform LDAP Link dry runs. Valid Values: 0 - Disables LDAPLinkDryRun 1 - Enables LDAPLinkDryRun Default Value: 0
LDAPLinkConfigFile	[Optional] If this parameter is set with the path to a .LDIF file, the LDAP Link service will use the file as the source tree instead of connecting to the LDAP server.

See Managing Configuration Parameters: VSQL for information on setting LDAP Link parameters.