ldap configuration issue forcing TLS
We have a test environment using your vertica-vmsrvr-7.0.1-0.64 image and are trying to get LDAP to authenticate a user. My issue is that i continually get "FATAL 3846: LDAP authentication failed". I have used the unix binary ldapsearch to Successfully connect to the LDAP Microsoft AD server and been able to connect fine. I then took the parameters used in the ldapsearch to build the ClientAuthentication in vertica.conf. It appears from the logs that it wants to connect to the ldap server using TLS? We also added the ldap.conf and the environment variable LDAPCONF even though we are not using ldaps, tls or ssl but it mentioned in the documents that this is a requirement for setting up ldap.
Below is the ClientAuthentication record, output from the vertica log, ldapsearch command ,the ldapsearch output and ldap.conf.
ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://150.142.96.30/search;basedn=DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;binddn=CN=steve.brown,OU=DMTRUsers,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;bindpasswd=rosoft99ff;searchattribute=sAMAccountName"
here is the log output:
2014-08-27 07:47:05.346 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/2705: Connection received: host=192.168.72.1 port=51863 (connCnt 1)
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4540: Received SSL negotiation startup packet
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4691: Sending SSL negotiation response 'N'
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/3443: Found matching ClientAuthentication entry: host all 0.0.0.0/0 ldap ldap://192.168.1.24/search;basedn=DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;binddn=CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;bindpasswd=password1;searchattribute=sAMAccountName
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4686: sendAuthRequest: user=sb2345 database=dbadmin host=192.168.72.1 authType=3
2014-08-27 07:47:05.352 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/2917: Could not start LDAP TLS session: error code -11: Connect error
2014-08-27 07:47:05.352 Init Session:0x210e7260-a000000000590c [Txn] <INFO> Begin Txn: a000000000590c 'check_login_history'
2014-08-27 07:47:05.353 Init Session:0x210e7260-a000000000590c [Txn] <INFO> Rollback Txn: a000000000590c 'check_login_history'
2014-08-27 07:47:05.354 Init Session:0x210e7260 <FATAL> @v_apple_node0001: {SessionRun} 28000/3846: LDAP authentication failed for user "sb2345"
LOCATION: auth_failed, /scratch_a/release/vbuild/vertica/Basics/ClientAuthentication.cpp:776
ldapsearch:
ldapsearch -h 192.168.1.24 -p 389 -x -D "CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US" -W -b "DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US" -s sub "sAMAccountName=sb2345"
ldapsearch output:
[dbadmin@vertica v_apple_node0001_catalog]$ ldapsearch -h 192.168.1.24 -p 389 -x -D "CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US" -W -b "DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US" -s sub "sAMAccountName=sb2345"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US> with scope subtree
# filter: sAMAccountName=sb2345
# requesting: ALL
#
# steve.brown, DMTR Users, DMTR, llbean11.lcom.bean.State.ME.US
dn: CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean,D
C=State,DC=ME,DC=US
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: steve.brown
sn: Brown
c: US
l: AlbaME
st: ME
description: OMM
postalCode: 12201
physicalDeliveryOfficeName: One Metro
givenName: Steven
initials: W
distinguishedName: CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=H
COM,DC=llbean,DC=State,DC=ME,DC=US
instanceType: 4
whenCreated: 20100113225107.0Z
whenChanged: 20140825012451.0Z
displayName: Steven W Brown
uSNCreated: 14963
mail: steve.brown@bean.me.gov
middleName: W
mAPIRecipient: TRUE
MEsits-sourceAnchor: vKrXlrw/j0i5vHH9LAI5yQ==
msExchRecipientTypeDetails: 128
msExchPoliciesExcluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchPoliciesIncluded: {23668AD4-4FA1-4EE8-B2BB-F94640E8FBA0},{26491CFC-9E50-
4857-861B-0CB8DF22B5D7}
extensionAttribute15: CmnExcludeFromDirSync
msExchRemoteRecipientType: 3
mailNickname: sb2345
targetAddress: sb2345@notes.bean.state.me.us
# search reference
ref: ldap://DomainDnsZones.llbean11.lcom.bean.State.ME.US/DC=DomainDnsZones,D
C=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 1
# numReferences: 1
LDAPCONF
/home/dbadmin/ldap.conf
[dbadmin@vertica v_apple_node0001_catalog]$ cat /home/dbadmin/ldap.conf
TLS_REQCERT never
TLS_CACERT = /home/dbadmin/CA-cert-bundle.crt
Below is the ClientAuthentication record, output from the vertica log, ldapsearch command ,the ldapsearch output and ldap.conf.
ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://150.142.96.30/search;basedn=DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;binddn=CN=steve.brown,OU=DMTRUsers,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;bindpasswd=rosoft99ff;searchattribute=sAMAccountName"
here is the log output:
2014-08-27 07:47:05.346 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/2705: Connection received: host=192.168.72.1 port=51863 (connCnt 1)
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4540: Received SSL negotiation startup packet
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4691: Sending SSL negotiation response 'N'
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/3443: Found matching ClientAuthentication entry: host all 0.0.0.0/0 ldap ldap://192.168.1.24/search;basedn=DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;binddn=CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US;bindpasswd=password1;searchattribute=sAMAccountName
2014-08-27 07:47:05.347 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/4686: sendAuthRequest: user=sb2345 database=dbadmin host=192.168.72.1 authType=3
2014-08-27 07:47:05.352 Init Session:0x210e7260 <LOG> @v_apple_node0001: 00000/2917: Could not start LDAP TLS session: error code -11: Connect error
2014-08-27 07:47:05.352 Init Session:0x210e7260-a000000000590c [Txn] <INFO> Begin Txn: a000000000590c 'check_login_history'
2014-08-27 07:47:05.353 Init Session:0x210e7260-a000000000590c [Txn] <INFO> Rollback Txn: a000000000590c 'check_login_history'
2014-08-27 07:47:05.354 Init Session:0x210e7260 <FATAL> @v_apple_node0001: {SessionRun} 28000/3846: LDAP authentication failed for user "sb2345"
LOCATION: auth_failed, /scratch_a/release/vbuild/vertica/Basics/ClientAuthentication.cpp:776
ldapsearch:
ldapsearch -h 192.168.1.24 -p 389 -x -D "CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US" -W -b "DC=llbean11,DC=lcom,DC=llbean1,DC=State,DC=ME,DC=US" -s sub "sAMAccountName=sb2345"
ldapsearch output:
[dbadmin@vertica v_apple_node0001_catalog]$ ldapsearch -h 192.168.1.24 -p 389 -x -D "CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US" -W -b "DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US" -s sub "sAMAccountName=sb2345"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US> with scope subtree
# filter: sAMAccountName=sb2345
# requesting: ALL
#
# steve.brown, DMTR Users, DMTR, llbean11.lcom.bean.State.ME.US
dn: CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=lcom,DC=llbean,D
C=State,DC=ME,DC=US
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: steve.brown
sn: Brown
c: US
l: AlbaME
st: ME
description: OMM
postalCode: 12201
physicalDeliveryOfficeName: One Metro
givenName: Steven
initials: W
distinguishedName: CN=steve.brown,OU=DMTR Users,OU=DMTR,DC=llbean11,DC=H
COM,DC=llbean,DC=State,DC=ME,DC=US
instanceType: 4
whenCreated: 20100113225107.0Z
whenChanged: 20140825012451.0Z
displayName: Steven W Brown
uSNCreated: 14963
mail: steve.brown@bean.me.gov
middleName: W
mAPIRecipient: TRUE
MEsits-sourceAnchor: vKrXlrw/j0i5vHH9LAI5yQ==
msExchRecipientTypeDetails: 128
msExchPoliciesExcluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchPoliciesIncluded: {23668AD4-4FA1-4EE8-B2BB-F94640E8FBA0},{26491CFC-9E50-
4857-861B-0CB8DF22B5D7}
extensionAttribute15: CmnExcludeFromDirSync
msExchRemoteRecipientType: 3
mailNickname: sb2345
targetAddress: sb2345@notes.bean.state.me.us
# search reference
ref: ldap://DomainDnsZones.llbean11.lcom.bean.State.ME.US/DC=DomainDnsZones,D
C=llbean11,DC=lcom,DC=llbean,DC=State,DC=ME,DC=US
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 1
# numReferences: 1
LDAPCONF
/home/dbadmin/ldap.conf
[dbadmin@vertica v_apple_node0001_catalog]$ cat /home/dbadmin/ldap.conf
TLS_REQCERT never
TLS_CACERT = /home/dbadmin/CA-cert-bundle.crt
0
Comments
If you are setting up LDAP in Vertica 7.0, there is an additional configuration file which needs to be created and updated.
In Vertica 7.0, we introduced some new security features which in turn introduced some new configuration files. Please review the below documentation page, it will walk you through setting up an additional config file, ldap.conf, in which we will state that we will never want starttls connections:
https://my.vertica.com/docs/7.0.x/HTML/index.htm#Authoring/InstallationGuide/InstallingVertica/UsingSecureLDAPAuthenticationinHPVertica7.0.htm
The only entry we need to add to the file is:
TLS_REQCERT allow
Thanks,
Rory
*** worked when searched group i belong***
ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://192.168.1.24/search;basedn=OU=DMTR Users,OU=DMTR,DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US;binddn=llbean1\sb2345;bindpasswd=password1;searchattribute=sAMAccountName"
*** did not work using a more generic basedn***
ClientAuthentication = host all 0.0.0.0/0 ldap "ldap://192.168.1.24/search;basedn=DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US;binddn=llbean1\sb2345;bindpasswd=password1;searchattribute=sAMAccountName"
fails with
2014-08-27 13:38:28.996 Init Session:0xea84020 <LOG> @v_apple_node0001: 00000/5559: Could not search LDAP for filter "(sAMAccountName=sb2345)" on server "ldap://192.168.1.24": error code 1 Operations error
example of our LDAP tree
OU=DMTR,DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US
OU=URLR,DC=llbean1,DC=LCOM,DC=Llbean,DC=State,DC=ME,DC=US