LDAP link service

LDAP Link enables synchronization between the LDAP and OpenText™ Analytics Database servers.

LDAP Link enables synchronization between the LDAP and OpenText™ Analytics Database servers. This eliminates the need for you to manage two sets of users and groups or roles, one on the LDAP server and another on the database server. With LDAP synchronization, the database server becomes a replication database for the LDAP server.

Note

Users created by the LDAP Link service are compatible with native database roles and do not require LDAP roles for functions like column access policies.

Automatic synchronization

With LDAP Link the database server closely integrates with an existing directory service such as MS Active Directory or OpenLDAP. The database server automatically synchronizes:

LDAP users to database users
LDAP groups to database roles

You manage all user and group properties in the LDAP server. As the database administrator, you only need to set up database access permissions for users and groups.

Configure LDAP Link with LDAP Link connection parameters that reside in the catalog. See General and Connection Parameters for more information.

Configure LDAP link with dry runs

The LDAP Link dry run meta-functions allow you to configure the service in discrete stages before making any changes to your database. These stages are:

LDAP Link Bind: Establishing a connection between the LDAP server and the database
LDAP Link Search: Searching the LDAP server for users and groups
LDAP Link Sync: Mapping LDAP users and groups to their equivalents in the database.

Query the system table LDAP_LINK_DRYRUN_EVENTS to view the results of each dry run.

For more information on dry runs and configuring LDAP Link, see Configuring LDAP link with dry runs.

Enable LDAP link

Enable LDAP Link as shown:

=> ALTER DATABASE dbname SET PARAMETER LDAPLinkURL='ldap://example.dc.com',
    LDAPLinkSearchBase='dc=DC,dc=com', LDAPLinkBindDN='CN=jsmith,OU=QA,DC=dc,DC=com,
    LDAPLinkBindPswd='password',LDAPLinkFilterUser='(objectClass=inetOrgPerson)', LDAPLinkFilterGroup='(objectClass=group)', LDAPLinkOn=1;
=> SELECT ldap_link_sync_start();

See LDAP link parameters.

LDAP link workflow

After you enable LDAP Link, synchronization occurs according to this workflow:

The System Administrator creates users and user groups on the LDAP server.
The System Administrator sets up LDAP Link service parameters as required and enables the service.
Using the LDAP Link service, the database replicates the users and user groups from the Application LDAP to the database, creating database users and roles.
The LDAP server uses Kerberos (KDC) to authenticate the user logging in to the database.
- The LDAP user can log in to the database if assigned the appropriate authentication type.
- After logging in, you can grant users privileges using GRANT statements or as part of a Group.

Note

After synchronization, the database user does not have an associated authentication method. To allow the user to log in, you must assign an authentication method to the user. See Configuring client authentication.

LDAP link service

Note

Automatic synchronization

Configure LDAP link with dry runs

Enable LDAP link

LDAP link workflow

Note

In this section