LDAP and User Accounts

Posted January 30, 2017 by Soniya Shah, Information Developer

Modern Database Analytics
This blog post was authored by Soniya Shah.

If you are a database administrator, you probably need to authenticate users in Vertica. There are many methods users can use to authenticate, including Ident, Kerberos, LDAP, and hash. This blog walks you through the steps to take if you want to authenticate some users using LDAP and other users using database passwords.

Step 1: Create an authentication method for LDAP users:
=> CREATE AUTHENTICATION ldap_auth method ‘ldap’ HOST’0.0.0.0/0′;
=> ALTER AUTHENTICATION vertica_ad SET host = ‘ldap://192.168.90.130:389’, bindn_prefix=’uid=’, binddn_suffix=’,ou=vertica,dc=example,dc=com’;

Step 2: Create an authentication method for non-LDAP users:
=> CREATE AUTHENTICATION pass_auth method ‘HASH’ HOST’0.0.0.0/0’;

Step 3: Create a role for all LDAP users:
=> CREATE ROLE ldap_auth_role;

Step 4: Create a role for all non-LDAP users (those using passwords). This helps you organize the types of users:
=> CREATE ROLE pass_auth_role;

Step 5: Grant LDAP authentication to the LDAP role:
=> GRANT AUTHENTICATION ldap_auth TO ldap_auth_role;

Step 6: Grant password authentication to the password role and to dbadmin:
=> GRANT AUTHENTICATION pass_auth TO dbadmin;
=> GRANT AUTHENTICATION pass_auth TO pass_auth_role;

Step 7: Add all your non-LDAP users to the password role. Note that you can enter the users as part of a comma-separated list:
=> GRANT pass_auth_role TO jboyer, ltrusty, dalarcon, fcollins, jcalahan, efeliciano, amcray, hgron;

Step 8: Add all LDAP users to the LDAP role. Again, we can enter the users as a comma separated list:
=> GRANT ldap_auth_role TO tgowill, jwilson, rpedigo, vrobbins, htaveras, cstraus, nmassa;

At this point you can test your configuration. Now, let’s consider that you have additional LDAP entries. You must create additional authentication methods for these entries.

Step 9: Create additional authentication methods and set the LDAP_CONTINUE parameter. When set to yes, this parameter allows a connection retry when a user not found error occurs during the previous connection attempt:
=> CREATE AUTHENTICATION ldap_access1 method ‘ldap’ HOST’0.0.0.0/0’;
=> ALTER AUTHENTICATION ldap_access1 SET host = ‘ldap://192.168.90.120:459’, ldap_continue=’yes’, bindn_prefix=’uid=’, binddn_suffix=’,ou=vertica,dc=example,dc=com’;
=> CREATE AUTHENTICATION ldap_access2 method ‘ldap’ HOST’0.0.0.0/0’;
=> ALTER AUTHENTICATION ldap_access2 SET host = ‘ldap://192.168.60.120:329’, ldap_continue=’yes’, bindn_prefix=’uid=’, binddn_suffix=’,ou=vertica,dc=example,dc=com’;

Step 10: Alter the original LDAP authentication rule to set LDAP_CONTINUE:
=> ALTER AUTHENTICATION ldap_access SET LDAP_CONTINUE = ‘yes’;

Now you are ready to test your configuration, with some users authenticating using LDAP and others using passwords. For best results, configure TLS security authentication.

For more information, see TLS Authentication in the Vertica documentation.