LDAP link service
LDAP Link enables synchronization between the LDAP and OpenText™ Analytics Database servers. This eliminates the need for you to manage two sets of users and groups or roles, one on the LDAP server and another on the database server. With LDAP synchronization, the database server becomes a replication database for the LDAP server.
Note
Users created by the LDAP Link service are compatible with native database roles and do not require LDAP roles for functions like column access policies.Automatic synchronization
With LDAP Link the database server closely integrates with an existing directory service such as MS Active Directory or OpenLDAP. The database server automatically synchronizes:
-
LDAP users to database users
-
LDAP groups to database roles
You manage all user and group properties in the LDAP server. As the database administrator, you only need to set up database access permissions for users and groups.
Configure LDAP Link with LDAP Link connection parameters that reside in the catalog. See General and Connection Parameters for more information.
Configure LDAP link with dry runs
The LDAP Link dry run meta-functions allow you to configure the service in discrete stages before making any changes to your database. These stages are:
-
LDAP Link Bind: Establishing a connection between the LDAP server and the database
-
LDAP Link Search: Searching the LDAP server for users and groups
-
LDAP Link Sync: Mapping LDAP users and groups to their equivalents in the database.
Query the system table LDAP_LINK_DRYRUN_EVENTS to view the results of each dry run.
For more information on dry runs and configuring LDAP Link, see Configuring LDAP link with dry runs.
Enable LDAP link
Enable LDAP Link as shown:
=> ALTER DATABASE dbname SET PARAMETER LDAPLinkURL='ldap://example.dc.com',
LDAPLinkSearchBase='dc=DC,dc=com', LDAPLinkBindDN='CN=jsmith,OU=QA,DC=dc,DC=com,
LDAPLinkBindPswd='password',LDAPLinkFilterUser='(objectClass=inetOrgPerson)', LDAPLinkFilterGroup='(objectClass=group)', LDAPLinkOn=1;
=> SELECT ldap_link_sync_start();
See LDAP link parameters.
LDAP link workflow
After you enable LDAP Link, synchronization occurs according to this workflow:
-
The System Administrator creates users and user groups on the LDAP server.
-
The System Administrator sets up LDAP Link service parameters as required and enables the service.
-
Using the LDAP Link service, the database replicates the users and user groups from the Application LDAP to the database, creating database users and roles.
-
The LDAP server uses Kerberos (KDC) to authenticate the user logging in to the database.
-
The LDAP user can log in to the database if assigned the appropriate authentication type.
-
After logging in, you can grant users privileges using GRANT statements or as part of a Group.
-