LDAP Link Parameters
Use LDAP Link parameters to determine:
- LDAP Link operations, such as enabling or disabling LDAP Link and how often to perform replication
- Authentication parameters, including SSL authentication parameters
- Users and groups that inherit unowned objects
- How to resolve conflicts
Set LDAP Link Parameters
This example shows how you can set:
- The URL of the LDAP server (LDAPLinkURL) and
- The base DN from where to start replication (LDAPLinkSearchBase)
You also see how to set the LDAP Link Bind authentication parameters (LDAPLinkBindDN and LDAPLinkBindPswd) and enables LDAP Link (LDAPLinkOn).
=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkURL='ldap://10.60.55.128', LDAPLinkSearchBase='dc=corp,dc=com',LDAPLinkBindDN='dc=corp,dc=com',LDAPLinkBindPswd='password'; => ALTER DATABASE myDB1 SET PARAMETER LDAPLinkOn = '1';
General and Connection Parameters
Parameter | Description |
---|---|
LDAPLinkOn |
Enables or disables LDAP Link. Valid Values: 0—LDAP Link disabled 1—LDAP Link enabled Default value: 0 |
LDAPLinkURL |
The LDAP server URL. Example: SET PARAMETER LDAPLinkURL='ldap://glw2k8-64.dc.com'; |
LDAPLinkInterval |
The time interval, in seconds, by which the LDAP Server and Vertica server synchronize. Default Value: 86400 (one day). |
LDAPLinkFirstInterval |
The first interval, in seconds, for LDAP/Vertica synchronization after the clerk node joins the cluster. Default Value: 120 |
LDAPLinkRetryInterval |
The time, in seconds, the system waits to retry a failed synchronization. Default Value: 10 |
LDAPLinkRetryNumber |
The number of retry attempts if synchronization failed. Default Value: 10. |
LDAPLinkSearchBase |
The base Example: SET PARAMETER LDAPLinkSearchBase='ou=vertica,dc=mycompany,dc=com'; Vertica recommends using a separate OU for database users. |
LDAPLinkSearchTimeout |
The timeout length, in seconds, for the LDAP search operation during an LDAP Link Service run. Default Value: 10 |
LDAPLinkScope |
Indicates what dn level to replicate. Valid Values:
If you decrease the scope (for example, Default Value: |
LDAPLinkFilterUser |
Determines how to filter users to be replicated. Default Value: "(objectClass=inetOrgPerson)" |
LDAPLinkFilterGroup |
Determines how to filter groups to be replicated. Default Value: "(objectClass=groupofnames)" |
LDAPLinkGroupName |
[Optional] The LDAP field to use when creating a role name in Vertica. Default Value: |
LDAPLinkGroupMembers |
The LDAP group that identifies the members of an LDAP group. This attribute returns a Fully Qualified Domain Name (FQDN). Default Value: |
LDAPLinkUserName |
The LDAP field to use when creating a user name in Vertica. |
Authentication Parameters
Parameter | Description |
---|---|
LDAPLinkBindDN |
The LDAP Bind DN used for authentication. Example: SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com'; |
LDAPLinkBindPswd |
The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user. Example: SET PARAMETER LDAPLinkBindPswd='password'; |
TLS Authentication Parameters
Parameter | Description |
---|---|
LDAPLinkStartTLS |
[Optional] Specifies whether or not to use the StartTLS operation during bind. You can only use this parameter if the LDAP server's URL is "ldap://..." (not "ldaps://..." Valid Values: 0 - Do not use starttls 1 - Use starttls Default Value: 0 |
LDAPLinkTLSReqCert |
[Optional] Specifies how Vertica behaves when verifying the LDAP server's certificate when using TLS. The connection between Vertica and the LDAP server will only succeed if conditions for the specified value are met. Valid Values: hard: LDAP server must provide a valid certificate. allow: LDAP server does not have to provide a certificate. try: LDAP server must either provide a valid certificate or not provide one at all. never: No requirements (Vertica does not request the LDAP server's certificate). For details, see Using LDAP Over TLS. Default Value: allow |
LDAPLinkTLSCACert |
[Optional] The path to a CA certificate. |
LDAPLinkTLSCADir |
[Optional] The path to the directory containing CA certificates. |
Miscellaneous Parameters
Parameter | Description |
---|---|
LDAPLinkConflictPolicy |
Determines how to resolve a user conflict. Valid Values: IGNORE—Ignores the incoming LDAP user and maintains the existing Vertica user. MERGE—Converts the existing user to an LDAP user. Default Value: MERGE |
LDAPLinkStopIfZeroUsers |
Enables or disables the shutdown of LDAPLink synchronization if no users are found in LDAP. Valid values: 0 - Disables the LDAPLink synchronization shutdown if no users are found. This may lead to inadvertent dropping of Vertica users. 1 - Enables the LDAPLink synchronization shutdown if no users are found. This prevents inadvertent dropping of Vertica users. |
LDAPLinkDryRun |
[Optional] Tests the connection to the LDAP server and logs the response without doing a synchronization. Also tests if parameters are correctly set. Note that this parameter is not the preferred dry run method. Instead, the LDAP_Link_Dryrun family of metafunctions provides more granular control over configurations and is the preferred way to perform LDAP Link dry runs. Valid Values: 0 - Disables LDAPLinkDryRun 1 - Enables LDAPLinkDryRun Default Value: 0 |
LDAPLinkConfigFile | [Optional] If this parameter is set with the path to a .LDIF file, the LDAP Link service will use the file as the source tree instead of connecting to the LDAP server. |
See Managing Configuration Parameters: VSQL for information on setting LDAP Link parameters.
When you change any Connection or Authentication parameter, LDAP Link reconnects and re-initializes the synchronization.