LDAP link service
LDAP Link enables synchronization between the LDAP and Vertica servers. This eliminates the need for you to manage two sets of users and groups or roles, one on the LDAP server and another on the Vertica server. With LDAP synchronization, the Vertica server becomes a replication database for the LDAP server.
Note
Users created by the LDAP Link service are compatible with native Vertica roles and do not require LDAP roles for functions like column access policies.Automatic synchronization
With LDAP Link the Vertica server closely integrates with an existing directory service such as MS Active Directory or OpenLDAP. The Vertica server automatically synchronizes:
-
LDAP users to Vertica users
-
LDAP groups to Vertica roles
You manage all user and group properties in the LDAP server. If you are the Vertica database administrator, you need only to set up permissions for Vertica Analytic Database access on the users and groups.
Configure LDAP Link with LDAP Link connection parameters that reside in the catalog. See General and Connection Parameters for more information.
Configure LDAP link with dry runs
The LDAP Link dry run meta-functions allow you to configure the service in discrete stages before making any changes to your database. These stages are:
-
LDAP Link Bind: Establishing a connection between the LDAP server and the Vertica database
-
LDAP Link Search: Searching the LDAP server for users and groups
-
LDAP Link Sync: Mapping LDAP users and groups to their equivalents in Vertica
Query the system table LDAP_LINK_DRYRUN_EVENTS to view the results of each dry run.
For more information on dry runs and configuring LDAP Link, see Configuring LDAP link with dry runs.
Enable LDAP link
Enable LDAP Link as shown:
=> ALTER DATABASE dbname SET PARAMETER LDAPLinkURL='ldap://example.dc.com',
LDAPLinkSearchBase='dc=DC,dc=com', LDAPLinkBindDN='CN=jsmith,OU=QA,DC=dc,DC=com,
LDAPLinkBindPswd='password',LDAPLinkFilterUser='(objectClass=inetOrgPerson)', LDAPLinkFilterGroup='(objectClass=group)', LDAPLinkOn=1;
=> SELECT ldap_link_sync_start();
See LDAP link parameters.
LDAP link workflow
After you enable LDAP Link, synchronization occurs according to this workflow:
-
The System Administrator creates users and user groups on the LDAP server.
-
The System Administrator sets up LDAP Link service parameters as required and enables the service.
-
Using the LDAP Link service, Vertica Analytic Database replicates the users and user groups from the Application LDAP to the Vertica database, creating Vertica users and roles.
-
The LDAP server uses Kerberos (KDC) to authenticate the user logging in to Vertica.
-
The LDAP user can log in to Vertica if assigned the appropriate authentication type.
-
After logging in, you can grant users privileges using GRANT statements or as part of a Group.
-