LDAP authentication parameters

There are several parameters that you need to configure for LDAP authentication.

General LDAP parameters

Use the following parameters to configure for either LDAP bind or LDAP bind and search:

Parameter name Description

Parameter name	Description
`host`	LDAP server URL in the following format: `schema``://host:``optional_port` Where `schema` is one of the following: `ldap`: The connection between Vertica and the LDAP server uses plaintext if TLSMODE of LDAPAuth is `DISABLE`. Set TLSMODE to `ENABLE` or higher for StartTLS (LDAP over TLS). `ldaps`: If the TLSMODE of LDAPAuth is `ENABLE` or higher, the connection between Vertica and the LDAP server uses LDAPS.
ldap_continue	When set to yes, this parameter allows a connection retry when a user not found error occurs during the previous connection attempt. For any other failure error, the system automatically retries the connection.
`starttls`	Whether to request the connection between Vertica and the LDAP server during user authentication to be upgraded to TLS. You must configure the LDAPAuth TLS Configuration before using this parameter. `starttls` can be set to one of the following: `soft`: If the server does not support TLS, use a plaintext connection. This value is equivalent to the `-Z` option in `ldapsearch`. If you use `soft`, Vertica ignores the certificate verification policies of the TLSMODE in the `LDAPAuth` TLS configuration. `hard`: If the LDAP server does not support TLS, reject the connection. This value is equivalent to the `-ZZ` in `ldapsearch`. Using `ldaps` is equivalent to `starttls='hard'`. However, if you use them together in the same connection string, authentication fails and the following error appears: `FATAL 2248: Authentication failed for username "<user_name>"` If `starttls` is not set, whether TLS is requested and required depends on the value of the TLSMODE of the LDAPAuth TLS Configuration.

host

LDAP server URL in the following format:

schema://host:optional_port

Where schema is one of the following:

ldap: The connection between Vertica and the LDAP server uses plaintext if TLSMODE of LDAPAuth is DISABLE. Set TLSMODE to ENABLE or higher for StartTLS (LDAP over TLS).
ldaps: If the TLSMODE of LDAPAuth is ENABLE or higher, the connection between Vertica and the LDAP server uses LDAPS.

ldap_continue

When set to yes, this parameter allows a connection retry when a user not found error occurs during the previous connection attempt.

For any other failure error, the system automatically retries the connection.

starttls

Whether to request the connection between Vertica and the LDAP server during user authentication to be upgraded to TLS. You must configure the LDAPAuth TLS Configuration before using this parameter.

starttls can be set to one of the following:

soft: If the server does not support TLS, use a plaintext connection. This value is equivalent to the -Z option in ldapsearch. If you use soft, Vertica ignores the certificate verification policies of the TLSMODE in the LDAPAuth TLS configuration.
hard: If the LDAP server does not support TLS, reject the connection. This value is equivalent to the -ZZ in ldapsearch.

Using ldaps is equivalent to starttls='hard'. However, if you use them together in the same connection string, authentication fails and the following error appears:

FATAL 2248: Authentication failed for username "<user_name>"

If starttls is not set, whether TLS is requested and required depends on the value of the TLSMODE of the LDAPAuth TLS Configuration.

LDAP bind parameters

The following parameters create a bind name string, which specifies and uniquely identifies a user to the LDAP server. For details, see Workflow for configuring LDAP bind.

To create a bind name string, you must set one (and only one) of the following:

Both binddn_prefix and binddn_suffix (must be set together)
domain_prefix
email_suffix

For example, if you set binddn_prefix and binddn_suffix, you cannot also set email_suffix. Conversely, if you set email_suffix, you cannot set binddn_prefix and binddn_suffix.

If you do not set a bind parameter, Vertica performs bind and search operations instead of a bind operation.

The following examples use the authentication record v_ldap:

=> CREATE AUTHENTICATION v_ldap METHOD 'ldap' HOST '10.0.0.0/23';

Parameter name	Description
`binddn_prefix`	First half of the bind string. If you set this parameter, you must also set `binddn_suffix`. For example, to construct the bind name **`cn=exampleusername,cn=Users,dc=ExampleDomain,dc=com`: `=> ALTER AUTHENTICATION v_ldap SET binddn_prefix='cn=', binddn_suffix=',cn=Users,dc=ExampleDomain,dc=com';`
`binddn_suffix`	Second half of bind string. If you set this parameter, you must also set `binddn_prefix`. For example, to construct the bind name `cn=exampleusername,ou=ExampleUsers,dc=example,dc=com`**: `=> ALTER AUTHENTICATION v_ldap SET binddn_prefix='cn=', binddn_suffix=',ou=OrgUsers,dc=example,dc=com';`
`domain_prefix`	The domain that contains the user. For example, to construct the bind name **`Example\exampleusername`: `=> ALTER AUTHENTICATION v_ldap SET domain_prefix='Example';`
`email_suffix`	The email domain. For example, to construct the bind name `exampleusername@example.com`** `=> ALTER AUTHENTICATION v_ldap SET email_suffix='example.com';`

LDAP search and bind parameters

Use the following parameters when authenticating with LDAP search and bind. For more information see Workflow for configuring LDAP search and bind.

Parameter name	Description
`basedn`	Base DN for search.
`binddn`	Bind DN. Domain name to find in the directory search.
`bind_password`	Bind password. Required if you specify a binddn.
`search_attribute`	Optional attribute to search for on the LDAP server.

The following example shows how to set these three attributes. In this example, it sets

binddn to cn=Manager,dc=example,dc=com
bind_password to secret
search_attribute to cn

=> ALTER AUTHENTICATION auth_method_name SET host='ldap://example13',
basedn='dc=example,dc=com',binddn='cn=Manager,dc=example,dc=com',
bind_password='secret',search_attribute='cn';

The binddn and bind_password parameters are optional. If you omit them, Vertica performs an anonymous search.