Using LDAP link
When you use LDAP Link, the following are directly affected and help you manage and monitor the LDAP Link - Vertica Analytic Database synchronization:
-
User and Group management
-
LDAP Link User Flag
-
Blocked Commands
-
Client Authentication types
To cancel an in-progress synchronization, use LDAP_LINK_SYNC_CANCEL.
User and group management
Users and groups created on the LDAP server have a specific relationship with those users and roles replicated to the Vertica server:
-
The user-group relationship on the LDAP server is maintained when those users and groups (roles) are synchronized with Vertica Analytic Database.
-
If a user or group name exists on the Vertica database and a user or group with the same names is synchronized from the LDAP Server using LDAP Link, the users or groups become conflicted. Vertica cannot support multiple users with the same name. To resolve this, see User Conflicts.
-
If the LDAP server contains a circular relationship, Vertica accepts and creates roles for the first non-circular part of the relationship returned by the LDAP server and ignores the rest.
For example, suppose the LDAP server contains groupsA
andB
, whereA
containsB
, andB
containsA
, creating a circular relationship.
If the LDAP server first returns thatA
containsB
, Vertica creates rolesA
andB
, and grants roleA
to roleB
. Vertica then ignores the fact that groupB
also containsA
.
LDAP Link uses the entries in the dn: section of the LDAP configuration file as the unique user identifier when synchronizing a user to the Vertica Analytic Database:
dn: cn=user1,ou=dev,dc=example,dc=com
cn: user1
ou: dev
id: user1
The uid parameter in the LDAP configuration file indicates the LDAP user name.
uid: user1
Upon synchronization, the dn: entry gets mapped to the uid: to identify the Vertica Analytic Database user.
If you change a setting in the dn:
and do not change the uid:
, LDAP Link interprets the user as a new user when re-synchronizing with the Vertica Analytic Database. In this case, the existing Vertica Analytic Database user with that uid: gets deleted from Vertica and a new Vertica Analytic Database user is created.
If you change the uid: and not the dn: on LDAP, the uid on the Vertica Analytic Database gets updated to the new uid. Since you did not change the dn: LDAP Link does not interpret the user as a new user.
LDAP link user flag
As a dbadmin user, you can access the vs_users table to monitor user behavior on the Vertica Analytic Database. The users table contains an ldap_dn
field that identifies whether or not the Vertica Analytic Database user is also an LDAP Link user. This example shows the ldap_dn
field set to dn
indicating the Vertica Analytic Database user is also an LDAP Link user:
=> SELECT * FROM vs_users;
-[ RECORD 1 ]---------+--------------------------------------------------
user_id | 45035996273704962
user_name | dbadmin
is_super_user | t
profile_name | default
is_locked | f
lock_time |
resource_pool | general
memory_cap_kb | unlimited
temp_space_cap_kb | unlimited
run_time_cap | unlimited
max_connections | unlimited
connection_limit_mode | database
idle_session_timeout | unlimited
all_roles | dbduser*, dbadmin*, pseudosuperuser*
default_roles | dbduser*, dbadmin*, pseudosuperuser*
search_path |
ldap_dn | dn
ldap_uri_hash | 0
is_orphaned_from_ldap | f
Blocked commands
Be aware that the following SQL statements are blocked for Vertica users with ldapdn set to dn in the vs_users table:
- ALTER ROLE
-
ALTER USER name IDENTIFIED BY 'password' [REPLACE 'old_password']
-
ALTER USER name PASSWORD EXPIRE
-
ALTER USER name PROFILE
-
ALTER USER name SECURITY_ALGORITHM...
-
ALTER USER name DEFAULT ROLE role-name
- GRANT (Role)
Client authentication types
LDAP user and groups cannot log in to Vertica if client authentication is not assigned to the user or group. You can use the following valid authentication types for LDAP users and groups:
-
GSS
-
Ident
-
LDAP
-
Reject
-
Trust