Troubleshooting LDAP Link Issues

Various issues can arise with LDAP Link Service, including:

  • Disconnected (Orphaned) Users and Roles
  • Lost Objects
  • User Conflicts

Disconnected (Orphaned) Users and Roles

Vertica Analytic Database users and roles synchronized through LDAP Link can become disconnected, or orphaned, if an issue arises with the LDAP Link service. For example, users and roles become orphaned when you change the connection to the LDAP server as the following scenario describes:

  1. Create an LDAP connection as follows:
    => ALTER DATABASE MyDB1 SET PARAMETER LDAPLinkURL='ldap://ebuser', 
LDAPLinkSearchBase='dc=example,dc=com', LDAPLinkBindDN='mega', 
LDAPLinkBindPswd='$megapassword$';
=> ALTER DATABASE MyDB1 SET PARAMETER LDAPLinkOn = '1';
  2. Run an LDAP Link session to synchronize LDAP and Vertica users.
  3. Change one or more connection parameters from Step 1. You can change the connection only if you change one of the LDAPLinkURL or LDAPLinkSearchBase parameters.
  1. Run another LDAP Link session. The system attempts to re-synchronize LDAP and Vertica users. Since the connection has changed, the existing Vertica users cannot be synchronized with the LDAP users from the new connection. These Vertica users become orphaned.

As a dbadmin user, you can identify orphaned users by checking the field is_orphaned_from_ldap in the users system table:

 => SELECT is_orphaned_from_ldap FROM users;

A field value of t indicates that the user is an orphaned user. Orphaned Vertica users cannot connect to the LDAP server and cannot login to Vertica using LDAP authentication (however, other authentication methods assigned to the user work). In this case, you can delete the orphaned Vertica user and run the LDAP Link service to resynchronize users.

Re-parented Objects

When you delete users or groups from linked LDAP, the LDAP Link service removes the same users and roles from Vertica Analytic Database. However, the service does not delete objects owned by the deleted user. Use the GlobalHeirUsername parameter to assign the objects to a new owner (re-parent).

Example:

=> ALTER DATABASE example_db SET PARAMETER GlobalHeirUsername=user1;

This creates a new user named user1, if it does not exist. The GlobalHeirUsername user serves as the new parent for all the objects owned by deleted users.

By default, this parameter is set to <auto> which re-parents the objects to the dbadmin user.

If you leave GlobalHeirUsername empty, the objects are not re-parented to another user.

For more information see GlobalHeirUsername in Security Parameters.

User Conflicts

Vertica Analytic Database users and roles synchronized using LDAP Link can become conflicted. Such conflicts can occur, for example, when you create a new user or group on the LDAP server and another user or role with the same name exists on the Vertica Analytic Database.

As a dbadmin user, use one of the following parameters to resolve user conflicts:

  • LDAPLinkConflictPolicy

  • LDAPLinkStopIfZeroUsers

LDAPLinkConflictPolicy

Use LDAPLinkConflictPolicy to resolve any user conflicts:

  • LDAPLinkConflictPolicy=IGNORE - Ignores the incoming LDAP users and maintains the existing Vertica user
  • LDAPLinkConflictPolicy=MERGE - Merges the incoming LDAP user with the Vertica user and converts the database user to an LDAP user retaining the database user's objects 

Example:

=> ALTER DATABASE example_db SET PARAMETER LDAPLinkConflictPolcy='MERGE';

The default is MERGE. If you change LDAPLinkConflictPolicy, the change takes affect on the next synchronization.

LDAPLinkStopIfZeroUsers

Use LDAPLinkStopIfZeroUsers to prevent an accidental dropping of Vertica users if the LDAP Link synchronization does not find any LDAP users.

LDAPLinkStopIfZeroUsers=0 - Does not stop the LDAP Link synchronization if no users are found in LDAP. This drops all Vertica users during synchronization.

LDAPLinkStopIfZeroUsers=1 - Stops the LDAP Link synchronization if no users are found in LDAP and displays an error. This prevents the dropping of Vertica users due to some issue.

Monitoring LDAP Link

Use the ldap_link_events table to monitor events that occurred during an LDAP Link synchronization:

=> SELECT transaction_id, event_type, entry_name, entry_oid FROM ldap_link_events;
   transaction_id |    event_type      | entry_name | entry_oid
------------------+--------------------+------------+-----------
45035996273705317 | SYNC_STARTED       |            |         0
45066962732553589 | SYNC_FINISHED      |            |         0
45066988112255317 | PROCESSING_STARTED |            |         0
23411234566789765 | USER_CREATED       | tuser      | 234548899
(4 rows)