LDAP link parameters

Use LDAP Link parameters to determine:.

Use LDAP Link parameters to determine:

LDAP Link operations, such as enabling or disabling LDAP Link and how often to perform replication
Authentication parameters, including SSL authentication parameters
Users and groups that inherit unowned objects
How to resolve conflicts

To configure TLS for LDAP Link, see TLS for LDAP link.

Set LDAP link parameters

This example shows how you can set:

LDAPLinkURL, the URL of the LDAP server.
LDAPLinkSearchBase, the base DN from which to start replication.

You also see how to set the LDAP Link Bind authentication parameters (LDAPLinkBindDN and LDAPLinkBindPswd) and enables LDAP Link (LDAPLinkOn).

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkURL='ldap://10.60.55.128',
LDAPLinkSearchBase='dc=corp,dc=com',LDAPLinkBindDN='dc=corp,dc=com',LDAPLinkBindPswd='password';

=> ALTER DATABASE myDB1 SET PARAMETER LDAPLinkOn = '1';

General and connection parameters

Parameter	Description
`LDAPLinkOn`	Enables or disables LDAP Link. Valid Values: 0—LDAP Link disabled 1—LDAP Link enabled Default: 0
`LDAPLinkURL`	The LDAP server URL. To use a plaintext connection between Vertica and the LDAP server, begin the `LDAPLinkURL` with `ldap://` and set the TLSMODE of LDAPLink to `DISABLE`. To use StartTLS, begin the `LDAPLinkURL` with `ldap://` and set the TLSMODE of `LDAPLink` to `ENABLE` or higher. To use LDAPS, begin the `LDAPLinkURL` with `ldaps://` and set the TLSMODE of `LDAPLink` to `ENABLE` or higher. Example: `=> SET PARAMETER LDAPLinkURL='ldap://example.dc.com';`
`LDAPLinkCron`	A `cron` expression, the exact time at which the LDAP and Vertica servers should synchronize. Unlike `LDAPLinkInterval`, the runtime of the synchronization does not affect the next scheduled synchronization. Setting this parameter overrides `LDAPLinkInterval`. New synchronizations are only scheduled after the current one ends. This means that if a synchronization runs for long enough to reach the start of what would be the "next" synchronization according to the `cron` expression, that "next" synchronization will not run, and in fact will not be scheduled until after the current one finishes. Default: None (empty).
`LDAPLinkInterval`	The time interval, in seconds, by which the LDAP and Vertica servers should synchronize. The interval is calculated based on the completion time of the previous synchronization operation, not its start time. This means that with an interval of `86400` seconds (one day), if the previous synchronization started at 9:00 and ended at 9:30, then the next synchronization would start at 9:30 the next day. To use this scheduling method, `LDAPLinkCron` must not be set (default). Default: 86400 (one day).
`LDAPLinkFirstInterval`	The first interval, in seconds, for LDAP/Vertica synchronization after the clerk node joins the cluster. Default: 120
`LDAPLinkRetryInterval`	The time, in seconds, the system waits to retry a failed synchronization. Default: 10
`LDAPLinkRetryNumber`	The number of retry attempts if synchronization failed. Default: 10.
`LDAPLinkSearchBase`	The base `dn` from where to start replication. Example: `=> SET PARAMETER LDAPLinkSearchBase='ou=vertica,dc=mycompany,dc=com';` Vertica recommends using a separate OU for database users.
`LDAPLinkSearchTimeout`	The timeout length, in seconds, for the LDAP search operation during an LDAP Link Service run. Default: 10
`LDAPLinkScope`	Indicates what dn level to replicate. Valid Values: sub—Replicate entire subtree under baseDN one—Replicate to one level under baseDN base —Replicate only the baseDN level If you decrease the scope (for example, `sub` to `one`), some users may not be recognized during the next synchronization. Default: `sub`
`LDAPLinkFilterUser`	Determines how to filter users to be replicated. Default: "(objectClass=inetOrgPerson)"
`LDAPLinkFilterGroup`	Determines how to filter groups to be replicated. Default: "(objectClass=groupofnames)"
`LDAPLinkGroupName`	[Optional] The LDAP field to use when creating a role name in Vertica. Default: `cn`
`LDAPLinkGroupMembers`	The LDAP group that identifies the members of an LDAP group. This attribute returns a Fully Qualified Domain Name (FQDN). Default: `member`
`LDAPLinkUserName`	The LDAP field to use when creating a user name in Vertica. Default: `uid`
`LDAPLinkJoinAttr`	Specifies the attribute on which you want to join to assign users to their roles. Default: `dn` Example: POSIX groups associate users and groups with the `uid` attribute instead of `dn`. `=> SET PARAMETER LDAPLinkJoinAttr='uid';`
`LDAPLinkAddRolesAsDefault`	Specifies whether the users synchronized through LDAP Link should have their groups set as default roles. If `LDAPLinkAddRolesAsDefault` is disabled (default), then the users are granted their groups as non-default roles, which must be manually enabled with SET ROLE. Default: `0` (disabled) Example: To enable: `=> ALTER DATABASE DEFAULT SET LDAPLinkAddRolesAsDefault = 1;` To disable: `=> ALTER DATABASE DEFAULT SET LDAPLinkAddRolesAsDefault = 0;`

Authentication parameters

Parameter Description

Parameter	Description
`LDAPLinkBindDN`	The LDAP Bind DN used for authentication. Example: `=> SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';`
`LDAPLinkBindPswd`	The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user. Example: `=> SET PARAMETER LDAPLinkBindPswd='password';`

LDAPLinkBindDN

The LDAP Bind DN used for authentication.

Example:

=> SET PARAMETER LDAPLinkBindDN='CN=amir,OU=QA,DC=dc,DC=com';

LDAPLinkBindPswd

The valid password for the LDAP Bind DN to access the server. Only accessible by the dbadmin user.

Example:

=> SET PARAMETER LDAPLinkBindPswd='password';

Miscellaneous parameters

Parameter	Description
`LDAPLinkConflictPolicy`	Determines how to resolve a user conflict. Valid Values: IGNORE—Ignores the incoming LDAP user and maintains the existing Vertica user. MERGE—Converts the existing user to an LDAP user. Default: MERGE
`LDAPLinkStopIfZeroUsers`	Enables or disables the shutdown of LDAPLink synchronization if no users are found in LDAP. Valid values: 0 - Disables the LDAPLink synchronization shutdown if no users are found. This may lead to inadvertent dropping of Vertica users. 1 - Enables the LDAPLink synchronization shutdown if no users are found. This prevents inadvertent dropping of Vertica users.
`LDAPLinkDryRun`	[Optional] Tests the connection to the LDAP server and logs the response without doing a synchronization. Also tests if parameters are correctly set. Note that this parameter is not the preferred dry run method. Instead, the LDAP_Link_Dryrun family of meta-functions provides more granular control over configurations and is the preferred way to perform LDAP Link dry runs. Valid Values: 0 - Disables LDAPLinkDryRun 1 - Enables LDAPLinkDryRun Default: 0
`LDAPLinkConfigFile`	[Optional] If this parameter is set with the path to a .LDIF file, the LDAP Link service will use the file as the source tree instead of connecting to the LDAP server.

See Configuration parameter management for information on setting LDAP Link parameters.

Note

When you change any Connection or Authentication parameter, LDAP Link reconnects and re-initializes the synchronization.