tlsmodeldap.md

Enable TLS or LDAPS (the exact protocol used depends on the value of host in the AUTHENTICATION object) by setting the TLSMODE to one of the following. TRY_VERIFY or higher requires a CA certificate:

  • ENABLE: Enables TLS. Vertica does not check the LDAP server's certificate.

  • TRY_VERIFY: Establishes a TLS connection if one of the following is true:

    • The LDAP server presents a valid certificate.

    • The LDAP server doesn't present a certificate.

    If the LDAP server presents an invalid certificate, a plaintext connection is used.

  • VERIFY_CA: Connection succeeds if Vertica verifies that the LDAP server's certificate is from a trusted CA. Using this TLSMODE forces all connections without a certificate to use plaintext.

  • VERIFY_FULL: Connection succeeds if Vertica verifies that the LDAP server's certificate is from a trusted CA and the cn (Common Name) or subjectAltName attribute matches the hostname or IP address of the LDAP server.

    The cn is used for the username, so subjectAltName must match the hostname or IP address of the LDAP server.