LDAP Link Service

LDAP Link enables synchronization between the LDAP and Vertica servers. This eliminates the need for you to manage two sets of users and groups or roles, one on the LDAP server and another on the Vertica server. With LDAP synchronization, the Vertica server becomes a replication database for the LDAP server.

Automatic Synchronization

With LDAP Link the Vertica server closely integrates with an existing directory service such as MS Active Directory or OpenLDAP. The Vertica server automatically synchronizes:

You manage all user and group properties in the LDAP server. If you are the Vertica database administrator, you need only to set up permissions for Vertica Analytic Database access on the users and groups.

Configure LDAP Link with LDAP Link connection parameters that reside in the catalog. See Set LDAP Link Parameters for more information.

Enable LDAP Link

Enable LDAP Link as shown:

=> ALTER DATABASE dbname SET PARAMETER LDAPLinkURL='ldap://example.dc.com',
    LDAPLinkSearchBase='dc=DC,dc=com', LDAPLinkBindDN='CN=jsmith,OU=QA,DC=dc,DC=com,
    LDAPLinkBindPswd='password',LDAPLinkFilterUser='(objectClass=inetOrgPerson)', LDAPLinkFilterGroup='(objectClass=group)', LDAPLinkOn=1;
=> SELECT ldap_link_sync_start();

See LDAP Link Parameters.

LDAP Link Workflow

After you enable LDAP Link, synchronization occurs according to this workflow:

  1. The System Administrator creates users and user groups on the LDAP server.
  2. The System Administrator sets up LDAP Link service parameters as required and enables the service.
  3. Using the LDAP Link service, Vertica Analytic Database replicates the users and user groups from the Application LDAP to the Vertica database, creating Vertica users and roles.
  4. The LDAP server uses Kerberos (KDC) to authenticate the user logging in to Vertica.
    • The LDAP user can log into Vertica if assigned the appropriate authentication type.
    • After login, you can grant users privileges using GRANT statements or as part of a Group.

Note: After synchronization the Vertica Analytic Database user does not have an associated authentication method. To allow the user to login, you must assign an authentication method to the user. See Implementing Client Authentication.