Service Accounts and Organizational Units
Before you configure LDAP authentication for your Vertica database, consider the following steps. These recommendations can improve the effectiveness of LDAP-based security on your system:
- Create a service account with your LDAP server. A service account is a single account that is specifically set up so that users in a given organization can share an account that configures LDAP access. Create a service account and use that in your LDAP URL to avoid use of account names and passwords, which change often. If you add, remove, or change users, you do not have to modify the LDAP URL. Having a service account allows you to restrict individual users from searching the LDAP server, but it allows applications like Vertica to search the server.
-
Set up an organizational unit (OU). Create an Active Directory OU, which is a group of users in a given organization. Add all the Vertica users to the OU, and specify the OU in the LDAP URL. Doing so allows the LDAP server to search just the Vertica OU for the user, minimizing search time. In addition, using OUs prevents changes to the users' OUs for other applications.