Using LDAP Link

When you implement LDAP Link the following are directly affected and help you manage and monitor the LDAP Link - Vertica Analytic Database synchronization:

User and Group Management

Users and groups created on the LDAP server have a specific relationship with those users and roles replicated to the Vertica server:

LDAP Link uses the entries in the dn: section of the LDAP configuration file as the unique user identifier when synchronizing a user to the Vertica Analytic Database:

dn: cn=user1,ou=dev,dc=example,dc=com
cn: user1
ou: dev
id: user1

The uid parameter in the LDAP configuration file indicates the LDAP user name.

uid: user1

Upon synchronization, the dn: entry gets mapped to the uid: to identify the Vertica Analytic Database user.

If you change a setting in the dn: and do not change the uid: LDAP Link interprets the user as a new user when re-synchronizing with the Vertica Analytic Database. In this case, the existing Vertica Analytic Database user with that uid: gets deleted from Vertica and a new Vertica Analytic Database user is created.

If you change the uid: and not the dn: on LDAP, the uid on the Vertica Analytic Database gets updated to the new uid. Since you did not change the dn: LDAP Link does not interpret the user as a new user.

LDAP Link User Flag

As a dbadmin user, you can access the vs_users table to monitor user behavior on the Vertica Analytic Database. The users table contains an ldap_dn field that identifies whether or not the Vertica Analytic Database user is also an LDAP Link user. This example shows the ldap_dn field set to dn indicating the Vertica Analytic Database user is also an LDAP Link user:

=> SELECT * FROM vs_users;
-[ RECORD 1 ]---------+--------------------------------------------------
user_id               | 45035996273704962
user_name             | dbadmin
is_super_user         | t
profile_name          | default
is_locked             | f
lock_time             |
resource_pool         | general
memory_cap_kb         | unlimited
temp_space_cap_kb     | unlimited
run_time_cap          | unlimited
max_connections       | unlimited
connection_limit_mode | database
idle_session_timeout  | unlimited
all_roles             | dbduser*, dbadmin*, pseudosuperuser*
default_roles         | dbduser*, dbadmin*, pseudosuperuser*
search_path           |
ldap_dn               | dn
ldap_uri_hash         | 0
is_orphaned_from_ldap | f

Blocked Commands

Be aware that the following SQL statements are blocked for Vertica Analytic Database users with ldapdn set to dn in the vs_users table:

Client Authentication Types

LDAP user and groups cannot log into Vertica if client authentication is not assigned to the user or group. You can use the following valid authentication types for LDAP users and groups: