LDAP link parameters

Use LDAP Link parameters to determine:.

Use LDAP Link parameters to determine:

LDAP Link operations, such as enabling or disabling LDAP Link and how often to perform replication
Authentication parameters, including SSL authentication parameters
Users and groups that inherit unowned objects
How to resolve conflicts

To configure TLS for LDAP Link, see TLS for LDAP link.

Set LDAP link parameters

This example shows how you can set:

LDAPLinkURL, the URL of the LDAP server.
LDAPLinkSearchBase, the base DN from which to start replication.

You also see how to set the LDAP Link Bind authentication parameters (LDAPLinkBindDN and LDAPLinkBindPswd) and enables LDAP Link (LDAPLinkOn).

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkURL='ldap://10.60.55.128',
LDAPLinkSearchBase='dc=corp,dc=com',LDAPLinkBindDN='dc=corp,dc=com',LDAPLinkBindPswd='password';

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkOn = '1';

General and connection parameters

Parameter	Description
`LDAPLinkOn`	Enables or disables LDAP Link. Valid Values: 0—LDAP Link disabled 1—LDAP Link enabled Default: 0
`LDAPLinkURL`	The LDAP server URL. To use a plaintext connection between Vertica and the LDAP server, begin the `LDAPLinkURL` with `ldap://` and set the TLSMODE of LDAPLink to `DISABLE`. To use StartTLS, begin the `LDAPLinkURL` with `ldap://` and set the TLSMODE of `LDAPLink` to `ENABLE` or higher. To use LDAPS, begin the `LDAPLinkURL` with `ldaps://` and set the TLSMODE of `LDAPLink` to `ENABLE` or higher. Example: `=> SET PARAMETER LDAPLinkURL='ldap://example.dc.com';`
`LDAPLinkInterval`	The time interval, in seconds, by which the LDAP Server and Vertica server synchronize. Default: 86400 (one day).
`LDAPLinkFirstInterval`	The first interval, in seconds, for LDAP/Vertica synchronization after the clerk node joins the cluster. Default: 120
`LDAPLinkRetryInterval`	The time, in seconds, the system waits to retry a failed synchronization. Default: 10
`LDAPLinkRetryNumber`	The number of retry attempts if synchronization failed. Default: 10.
`LDAPLinkSearchBase`	The base `dn` from where to start replication. Example: `=> SET PARAMETER LDAPLinkSearchBase='ou=vertica,dc=mycompany,dc=com';` Vertica recommends using a separate OU for database users.
`LDAPLinkSearchTimeout`	The timeout length, in seconds, for the LDAP search operation during an LDAP Link Service run. Default: 10
`LDAPLinkScope`	Indicates what dn level to replicate. Valid Values: sub—Replicate entire subtree under baseDN one—Replicate to one level under baseDN base —Replicate only the baseDN level If you decrease the scope (for example, `sub` to `one`), some users may not be recognized during the next synchronization. Default: `sub`
`LDAPLinkFilterUser`	Determines how to filter users to be replicated. Default: "(objectClass=inetOrgPerson)"
`LDAPLinkFilterGroup`	Determines how to filter groups to be replicated. Default: "(objectClass=groupofnames)"
`LDAPLinkGroupName`	[Optional] The LDAP field to use when creating a role name in Vertica. Default: `cn`
`LDAPLinkGroupMembers`	The LDAP group that identifies the members of an LDAP group. This attribute returns a Fully Qualified Domain Name (FQDN). Default: `member`
`LDAPLinkUserName`	The LDAP field to use when creating a user name in Vertica. Default: `uid`
`LDAPLinkJoinAttr`	Specifies the attribute on which you want to join to assign users to their roles. Default: `dn` Example: POSIX groups associate users and groups with the `uid` attribute instead of `dn`. `=> SET PARAMETER LDAPLinkJoinAttr='uid';`

Authentication parameters

Parameter Description

Parameter	Description
`LDAPLinkBindDN`	The LDAP Bind DN used for authentication. Example: `=> SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';`
`LDAPLinkBindPswd`	The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user. Example: `=> SET PARAMETER LDAPLinkBindPswd='password';`

LDAPLinkBindDN

The LDAP Bind DN used for authentication.

Example:

=> SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';

LDAPLinkBindPswd

The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user.

Example:

=> SET PARAMETER LDAPLinkBindPswd='password';

Miscellaneous parameters

Parameter	Description
`LDAPLinkConflictPolicy`	Determines how to resolve a user conflict. Valid Values: IGNORE—Ignores the incoming LDAP user and maintains the existing Vertica user. MERGE—Converts the existing user to an LDAP user. Default: MERGE
`LDAPLinkStopIfZeroUsers`	Enables or disables the shutdown of LDAPLink synchronization if no users are found in LDAP. Valid values: 0 - Disables the LDAPLink synchronization shutdown if no users are found. This may lead to inadvertent dropping of Vertica users. 1 - Enables the LDAPLink synchronization shutdown if no users are found. This prevents inadvertent dropping of Vertica users.
`LDAPLinkDryRun`	[Optional] Tests the connection to the LDAP server and logs the response without doing a synchronization. Also tests if parameters are correctly set. Note that this parameter is not the preferred dry run method. Instead, the LDAP_Link_Dryrun family of meta-functions provides more granular control over configurations and is the preferred way to perform LDAP Link dry runs. Valid Values: 0 - Disables LDAPLinkDryRun 1 - Enables LDAPLinkDryRun Default: 0
`LDAPLinkConfigFile`	[Optional] If this parameter is set with the path to a .LDIF file, the LDAP Link service will use the file as the source tree instead of connecting to the LDAP server.

See Managing configuration parameters: VSQL for information on setting LDAP Link parameters.

Note

When you change any Connection or Authentication parameter, LDAP Link reconnects and re-initializes the synchronization.