Ldap integration in Version 7.1 not working

Joseph_Beah

I am trying to set up a Vertica 7.1 cluster to authenticate users from the Active Directory. I am using the following: CREATE AUTHENTICATION v_ldap1 METHOD 'ldap' HOST '10.0.0.0'; => ALTER AUTHENTICATION ldap1 SET HOST= 'ldap://10.88.1.**',basedn='dc=dc,dc=com',binddn_suffix=',dc=modelo,dc=gmodelo,dc=com,dc=mx',binddn_prefix='cn=use' However, this is not working. I want to be able to bind without using a service account. What am I doing wrong? Thanks in advance.

[Deleted User]

Here is an example of how we configure it. hopefully it helps


1. 172.16.65.196 is the IP from where vertica client will connect to the server (this is the client IP). (to specify a range of client IPs use (172.16.0.0/16)
CREATE AUTHENTICATION LDAP1 METHOD 'ldap' HOST '172.16.65.196';

2.  CREATE USER tuser; # you may already have the user defined in the database

3. ALTER AUTHENTICATION Ldap1 SET binddn_prefix='cn=', binddn_suffix=',dc=qa_domain,dc=com';
# note that the user DN will be read as cn=tuser,dc=qa_domain,dc=com (basically, binddn_prefix + <username> + binddn_suffix)
(bind will be attempted using DN ( cn=tuser,dc=qa_domain,dc=com ) and the password the user provides to the client

4. grant AUTHENTICATION Ldap1 to tuser;
# grant is required to associate the Ldap1 scheme with tuser

5. on machine with IP 172.16.65.196, run the following command
vsql  -h vertica.server.com -U tuser  -w '<ldap_bind_password_for_tuser>' -c "select authentication_method from sessions"


Hope this helps

Joseph_Beah

Thank you so much. Since I need to add many users do I user a variable such as "samaccountname" for "tuser" in the Alter Authentication statement?

[Deleted User]

Vertica will construct the binddn using the binddn_prefix, username, and binddn_suffix, and then attempt to bind to the ldap server using the binddn.

(I am not sure how your DNs are constructed, or if using the samaccountname instead on the CN will result in a valid DN that will bind. use ldapsearch to validate that).

If you want to use samaccountname (or any other attribute for that matter), maybe you look at ldap search based authentication method.

Joseph_Beah

Thanks again.

Is "tuser" a variable that will hold each username as a value when the user logs in or do I have to do this for each user when I add him/her to the database?

 

[Deleted User]

tuser is the actual username the client uses to login. (see vsql command in example)

Joseph_Beah

Thanks. This is what I assumed. We have a few hundred users so we are hoping that we could use a variable so that we don't have to execute the Alter Authentication statement multiple times.  

Joseph_Beah

I am still getting the error:    LDAP authentication failed for user ***********

I am doing the following:
CREATE AUTHENTICATION v_ldap1 METHOD 'ldap' HOST '10.0.0.0/8';

ALTER AUTHENTICATION v_ldap1 SET binddn_prefix='cn=', binddn_suffix=',dc=modelo,dc=gmodelo,dc=com,dc=mx';

Grant Authentication v_ldap1 to H0011521;

I am wondering if I would be more successful with bind and search.

Thanks for your help.

[Deleted User]

1. can you tell me what you seen in the vertica logs.

2. is this a valid DN, that you can bind to using ldapsearch?
cn=H0011521,dc=modelo,dc=gmodelo,dc=com,dc=mx

ivan_kovalenko

i suppose you should provide host, basedn parameters while altering authentication. host is provided as ldap://<host>.