Workflow for configuring LDAP search and bind
To configure your Vertica database to authenticate clients using LDAP search and bind, follow these steps:
-
Obtain a service account. For information see the LDAP product documentation.
-
From a Vertica node, run
ldapsearchagainst your LDAP or AD server. Verify the connection to the server, and identify the values of relevant fields. Runningldapsearchhelps you build the client authentication string needed to configure LDAP authentication.In the following example,
ldapsearchreturns the CN, DN, and sAMAccountName fields (if they exist) for any user whose CN contains the username, John. This search succeeds only for LDAP servers that allow anonymous binding:$ ldapsearch -x -h 10.10.10.10 -b 'OU=Vertica Users,DC=CompanyCorp,DC=com' -s sub -D 'CompanyCorp\jsmith' -W '(cn=John*)' cn dn uid sAMAccountName -
Review the results that
ldapsearchreturns.The relevant information for search and bind is in bold:# extended LDIF # # LDAPv3 # base <OU=Vertica Users,DC=CompanyCorp,DC=com> with scope subtree # filter: (cn=John*) # requesting: cn dn sAMAccountName # # John Smith, Vertica Users, CompanyCorp.com dn: CN=jsmith,OU=Vertica Users,DC=CompanyCorp,DC=com cn: Jsmith sAMAccountName: jsmith # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -
Create the client authentication record. The cn attribute contains the username you want—jsmith. Set your search attribute to the CN field so that the search finds the appropriate account.
=> CREATE AUTHENTICATION v_ldap_bind_search METHOD 'ldap' HOST '10.10.10.10'; => GRANT AUTHENTICATION v_ldap_bind_search TO public; => ALTER AUTHENTICATION v_ldap_bind_search SET host='ldap://10.10.10.10', basedn='OU=Vertica,DC=CompanyCorp,DC=com', binddn='CN=jsmith,OU=Vertica Users,DC=CompanyCorp,DC=com', bind_password='password', search_attribute='CN';
For more information see LDAP Bind and Search Parameters