This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Ident authentication

The Ident protocol, defined in RFC 1413, authenticates a database user with a system user name.To see if that system user can log in without specifying a password, you configure Vertica client authentication to query an Ident server.

The Ident protocol, defined in RFC 1413, authenticates a database user with a system user name.To see if that system user can log in without specifying a password, you configure Vertica client authentication to query an Ident server. With this feature, the DBADMIN user can run automated scripts to execute tasks on the Vertica server.

Following the instructions in these topics to install, set up, and configure Ident authentication for your database:

Examples

The following examples show several ways to configure Ident authentication.

Allow system_user1 to connect to the database as Vertica vuser1:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1';
=> GRANT AUTHENTICATION v_ident to vuser1;
=> ALTER AUTHENTICATION v_ident ENABLE;

Allow system_user1, system_user2, and system_user3 to connect to the database as vuser1. Use colons (:) to separate the user names:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1:system_user2:system_user3';
=> GRANT AUTHENTICATION v_ident TO vuser1;
=> ALTER AUTHENTICATION v_ident ENABLE;

Associate the authentication with Public using a GRANT AUTHENTICATION statement. The users, system_user1, system_user2, and system_user3 can now connect to the database as any database user:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1:system_user2:system_user3';
=> GRANT AUTHENTICATION v_ident to Public;
=> ALTER AUTHENTICATION v_ident ENABLE;

Set the system_users parameter to * to allow any system user to connect to the database as vuser1:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='*';
=> GRANT AUTHENTICATION v_ident TO vuser1;
=> ALTER AUTHENTICATION v_ident ENABLE;

Using a GRANT statement, associate the v_ident authentication with Public to allow system_user1 to log into the database as any database user:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1';
=> GRANT AUTHENTICATION v_ident to Public;
=> ALTER AUTHENTICATION v_ident ENABLE;

1 - Installing and setting up an ident server

To use Ident authentication, you must install one or more packages, depending on your operating system, and enable the Ident server on your Vertica server.

To use Ident authentication, you must install one or more packages, depending on your operating system, and enable the Ident server on your Vertica server. oidentd is an Ident daemon that is compatible with Vertica and compliant with RFC 1413.

To install and configure Ident authentication for use with your Vertica database, follow the appropriate steps for your operating system:

Red hat 6.x/CentOS 6.x

Install oidentd on Red Hat 6.x or CentOS 6.x by running this command:

$ yum install oidentd

Depending on your configuration, you might receive the following error message:

No package oidentd available.

In this case, you must install the Red Hat/CentOS Extras Repository. Download and install the Extras Repository from the following location: https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Red hat 7.x/CentOS 7.x

Install an Ident server on Red Hat 7.x or CentOS 7.x by installing the authd and xinetd packages:

$ yum install authd
$ yum install xinetd

Ubuntu/debian

Install oidentd on Ubuntu or Debian by running this command:

$ sudo apt-get install oidentd

SUSE Linux enterprise server

Install the pidentd and xinetd RPMs from the following locations:

Post-installation steps for red hat 6.x/CentOS 6.x and ubuntu/debian

After you install oidentd on your Red Hat 6.x/CentOS 6.x or Ubuntu/Debian system, continue with the following steps:

  1. Verify that the Ident server accepts IPv6 connections to prevent authentication failure. To do so, you must enable this capability. In the script /etc/init.d/oidentd, change the line from:

    exec="/usr/sbin/oidentd"
    

    to

    exec="/usr/sbin/oidentd -a ::"
    

    Then, at the Linux prompt, start oidentd with -a ::.

  2. Restart the server with the following command:

    $ /etc/init.d/oidentd restart
    

Post-installation steps for red hat 7.x/CentOS 7.x and SUSE Linux enterprise server

After you install the required packages on your Red Hat 7.x/CentOS 7.x or SUSE Linux Enterprise Server system, continue with the following steps:

  1. Enable the auth service in the configuration file located at the following location: /etc/xinet.d/auth.

    Enter no for the disable option, as this sample configuration file shows.

    service auth
    {
            disable = no
            socket_type = stream
            wait = no
            user = ident
            cps = 4096 10
            instances = UNLIMITED
            server = /usr/sbin/in.authd
            server_args = -t60 --xerror --os
    }
    
  2. Restart the xinetd service with the following command:

    $ service xinetd restart
    

2 - Configuring ident authentication for database users

To configure Ident authentication, take the following steps:.

To configure Ident authentication, take the following steps:

  1. Create an authentication method that uses Ident.

    The Ident server must be installed on the same computer as your database, so specify the keyword LOCAL. Vertica requires that the Ident server and database always be on the same computer as the database.

    => CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
    
  2. Set the Ident authentication parameters, specifying the system users who should be allowed to connect to your database.

    => ALTER AUTHENTICATION v_ident SET system_users='user1:user2:user3';
    
  3. Associate the authentication method with the Vertica user. Use a GRANT statement that allows the system user user1 to log in using Ident authentication:

    => GRANT AUTHENTICATION v_ident TO user1;