Ident authentication

The Ident protocol, defined in RFC 1413, authenticates a database user with a system user name.To see if that system user can log in without specifying a password, you configure Vertica client authentication to query an Ident server.

1: Installing and setting up an ident server
2: Configuring ident authentication for database users

The Ident protocol, defined in RFC 1413, authenticates a database user with a system user name.To see if that system user can log in without specifying a password, you configure Vertica client authentication to query an Ident server. With this feature, the DBADMIN user can run automated scripts to execute tasks on the Vertica server.

Caution

Ident responses can be easily spoofed by untrusted servers. Use Ident authentication only on local connections, where the Ident server is installed on the same computer as the Vertica database server.

Following the instructions in these topics to install, set up, and configure Ident authentication for your database:

Examples

The following examples show several ways to configure Ident authentication.

Allow system_user1 to connect to the database as Vertica vuser1:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1';
=> GRANT AUTHENTICATION v_ident to vuser1;
=> ALTER AUTHENTICATION v_ident ENABLE;

Allow system_user1, system_user2, and system_user3 to connect to the database as vuser1. Use colons (:) to separate the user names:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1:system_user2:system_user3';
=> GRANT AUTHENTICATION v_ident TO vuser1;
=> ALTER AUTHENTICATION v_ident ENABLE;

Associate the authentication with Public using a GRANT AUTHENTICATION statement. The users, system_user1, system_user2, and system_user3 can now connect to the database as any database user:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1:system_user2:system_user3';
=> GRANT AUTHENTICATION v_ident to Public;
=> ALTER AUTHENTICATION v_ident ENABLE;

Set the system_users parameter to * to allow any system user to connect to the database as vuser1:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='*';
=> GRANT AUTHENTICATION v_ident TO vuser1;
=> ALTER AUTHENTICATION v_ident ENABLE;

Using a GRANT statement, associate the v_ident authentication with Public to allow system_user1 to log into the database as any database user:

=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
=> ALTER AUTHENTICATION v_ident SET system_users='system_user1';
=> GRANT AUTHENTICATION v_ident to Public;
=> ALTER AUTHENTICATION v_ident ENABLE;

1 - Installing and setting up an ident server

To use Ident authentication, you must install one or more packages, depending on your operating system, and enable the Ident server on your Vertica server.

To use Ident authentication, you must install one or more packages, depending on your operating system, and enable the Ident server on your Vertica server. oidentd is an Ident daemon that is compatible with Vertica and compliant with RFC 1413.

Note

You can find the source code and installation instructions for oidentd at the oidentd website.

To install and configure Ident authentication for use with your Vertica database, follow the appropriate steps for your operating system.

Red hat 7.x/CentOS 7.x

Install an Ident server on Red Hat 7.x or CentOS 7.x by installing the authd and xinetd packages:

$ yum install authd
$ yum install xinetd

Ubuntu/debian

Install oidentd on Ubuntu or Debian by running this command:

$ sudo apt-get install oidentd

SUSE Linux enterprise server

Install the pidentd and xinetd RPMs from the following locations:

Post-installation steps for ubuntu/debian

After you install oidentd on your Ubuntu/Debian system, continue with the following steps:

Verify that the Ident server accepts IPv6 connections to prevent authentication failure. To do so, you must enable this capability. In the script /etc/init.d/oidentd, change the line from:
```
exec="/usr/sbin/oidentd"
```
to
```
exec="/usr/sbin/oidentd -a ::"
```
Then, at the Linux prompt, start oidentd with -a ::.
Restart the server with the following command:
```
$ /etc/init.d/oidentd restart
```

Post-installation steps for red hat 7.x/CentOS 7.x and SUSE Linux enterprise server

After you install the required packages on your Red Hat 7.x/CentOS 7.x or SUSE Linux Enterprise Server system, continue with the following steps:

Enable the auth service by setting disable = no in the configuration file /etc/xinetd.d/auth. If this file does not exist, create it. The following is a sample configuration file:

service auth
{
        disable = no
        socket_type = stream
        wait = no
        user = ident
        cps = 4096 10
        instances = UNLIMITED
        server = /usr/sbin/in.authd
        server_args = -t60 --xerror --os
}

Restart the xinetd service with the following command:
```
$ service xinetd restart
```

2 - Configuring ident authentication for database users

To configure Ident authentication, take the following steps:.

To configure Ident authentication, take the following steps:

Create an authentication method that uses Ident.

The Ident server must be installed on the same computer as your database, so specify the keyword LOCAL. Vertica requires that the Ident server and database always be on the same computer as the database.
```
=> CREATE AUTHENTICATION v_ident METHOD 'ident' LOCAL;
```
Set the Ident authentication parameters, specifying the system users who should be allowed to connect to your database.
```
=> ALTER AUTHENTICATION v_ident SET system_users='user1:user2:user3';
```
Associate the authentication method with the Vertica user. Use a GRANT statement that allows the system user user1 to log in using Ident authentication:
```
=> GRANT AUTHENTICATION v_ident TO user1;
```