LDAP link parameters

Use LDAP Link parameters to determine:.

Use LDAP Link parameters to determine:

  • LDAP Link operations, such as enabling or disabling LDAP Link and how often to perform replication

  • Authentication parameters, including SSL authentication parameters

  • Users and groups that inherit unowned objects

  • How to resolve conflicts

To configure TLS for LDAP Link, see TLS for LDAP link.

This example shows how you can set:

  • LDAPLinkURL, the URL of the LDAP server.

  • LDAPLinkSearchBase, the base DN from which to start replication.

You also see how to set the LDAP Link Bind authentication parameters (LDAPLinkBindDN and LDAPLinkBindPswd) and enables LDAP Link (LDAPLinkOn).

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkURL='ldap://10.60.55.128',
LDAPLinkSearchBase='dc=corp,dc=com',LDAPLinkBindDN='dc=corp,dc=com',LDAPLinkBindPswd='password';

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkOn = '1';

General and connection parameters

Parameter Description
LDAPLinkOn

Enables or disables LDAP Link.

Valid Values:

0—LDAP Link disabled

1—LDAP Link enabled

Default: 0

LDAPLinkURL

The LDAP server URL.

To use a plaintext connection between Vertica and the LDAP server, begin the LDAPLinkURL with ldap:// and set the TLSMODE of LDAPLink to DISABLE.

To use StartTLS, begin the LDAPLinkURL with ldap:// and set the TLSMODE of LDAPLink to ENABLE or higher.

To use LDAPS, begin the LDAPLinkURL with ldaps:// and set the TLSMODE of LDAPLink to ENABLE or higher.

Example:

=> SET PARAMETER LDAPLinkURL='ldap://example.dc.com';

LDAPLinkInterval

The time interval, in seconds, by which the LDAP Server and Vertica server synchronize.

Default: 86400 (one day).

LDAPLinkFirstInterval

The first interval, in seconds, for LDAP/Vertica synchronization after the clerk node joins the cluster.

Default: 120

LDAPLinkRetryInterval

The time, in seconds, the system waits to retry a failed synchronization.

Default: 10

LDAPLinkRetryNumber

The number of retry attempts if synchronization failed.

Default: 10.

LDAPLinkSearchBase

The base dn from where to start replication.

Example:

=> SET PARAMETER LDAPLinkSearchBase='ou=vertica,dc=mycompany,dc=com';

Vertica recommends using a separate OU for database users.

LDAPLinkSearchTimeout

The timeout length, in seconds, for the LDAP search operation during an LDAP Link Service run.

Default: 10

LDAPLinkScope

Indicates what dn level to replicate.

Valid Values:

  • sub—Replicate entire subtree under baseDN

  • one—Replicate to one level under baseDN

  • base —Replicate only the baseDN level

If you decrease the scope (for example, sub to one), some users may not be recognized during the next synchronization.

Default: sub

LDAPLinkFilterUser

Determines how to filter users to be replicated.

Default: "(objectClass=inetOrgPerson)"

LDAPLinkFilterGroup

Determines how to filter groups to be replicated.

Default: "(objectClass=groupofnames)"

LDAPLinkGroupName

[Optional] The LDAP field to use when creating a role name in Vertica.

Default: cn

LDAPLinkGroupMembers

The LDAP group that identifies the members of an LDAP group. This attribute returns a Fully Qualified Domain Name (FQDN).

Default: member

LDAPLinkUserName

The LDAP field to use when creating a user name in Vertica.

Default: uid

LDAPLinkJoinAttr

Specifies the attribute on which you want to join to assign users to their roles.

Default: dn

Example:

POSIX groups associate users and groups with the uid attribute instead of dn.

=> SET PARAMETER LDAPLinkJoinAttr='uid';

LDAPLinkAddRolesAsDefault

Specifies whether the users synchronized through LDAP Link should have their groups set as default roles. If LDAPLinkAddRolesAsDefault is disabled (default), then the users are granted their groups as non-default roles, which must be manually enabled with SET ROLE.

Default: 0 (disabled)

Example:

To enable:

=> ALTER DATABASE DEFAULT SET LDAPLinkAddRolesAsDefault = 1;

To disable:

=> ALTER DATABASE DEFAULT SET LDAPLinkAddRolesAsDefault = 0;

Authentication parameters

Parameter Description
LDAPLinkBindDN

The LDAP Bind DN used for authentication.

Example:

=> SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';

LDAPLinkBindPswd

The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user.

Example:

=> SET PARAMETER LDAPLinkBindPswd='password';

Miscellaneous parameters

Parameter Description
LDAPLinkConflictPolicy

Determines how to resolve a user conflict.

Valid Values:

IGNORE—Ignores the incoming LDAP user and maintains the existing Vertica user.

MERGE—Converts the existing user to an LDAP user.

Default: MERGE

LDAPLinkStopIfZeroUsers

Enables or disables the shutdown of LDAPLink synchronization if no users are found in LDAP.

Valid values:

0 - Disables the LDAPLink synchronization shutdown if no users are found. This may lead to inadvertent dropping of Vertica users.

1 - Enables the LDAPLink synchronization shutdown if no users are found. This prevents inadvertent dropping of Vertica users.

LDAPLinkDryRun

[Optional] Tests the connection to the LDAP server and logs the response without doing a synchronization. Also tests if parameters are correctly set.

Note that this parameter is not the preferred dry run method. Instead, the LDAP_Link_Dryrun family of meta-functions provides more granular control over configurations and is the preferred way to perform LDAP Link dry runs.

Valid Values:

0 - Disables LDAPLinkDryRun

1 - Enables LDAPLinkDryRun

Default: 0

LDAPLinkConfigFile [Optional] If this parameter is set with the path to a .LDIF file, the LDAP Link service will use the file as the source tree instead of connecting to the LDAP server.

See Configuration parameter management for information on setting LDAP Link parameters.