Ldap integration in Version 7.1 not working

I am trying to set up a Vertica 7.1 cluster to authenticate users from the Active Directory. I am using the following: CREATE AUTHENTICATION v_ldap1 METHOD 'ldap' HOST ''; => ALTER AUTHENTICATION ldap1 SET HOST= 'ldap://10.88.1.**',basedn='dc=dc,dc=com',binddn_suffix=',dc=modelo,dc=gmodelo,dc=com,dc=mx',binddn_prefix='cn=use' However, this is not working. I want to be able to bind without using a service account. What am I doing wrong? Thanks in advance.


  • Here is an example of how we configure it. hopefully it helps

    1. is the IP from where vertica client will connect to the server (this is the client IP). (to specify a range of client IPs use (

    2.  CREATE USER tuser; # you may already have the user defined in the database

    3. ALTER AUTHENTICATION Ldap1 SET binddn_prefix='cn=', binddn_suffix=',dc=qa_domain,dc=com';
    # note that the user DN will be read as cn=tuser,dc=qa_domain,dc=com (basically, binddn_prefix + <username> + binddn_suffix)
    (bind will be attempted using DN ( cn=tuser,dc=qa_domain,dc=com ) and the password the user provides to the client

    4. grant AUTHENTICATION Ldap1 to tuser;
    # grant is required to associate the Ldap1 scheme with tuser

    5. on machine with IP, run the following command
    vsql  -h vertica.server.com -U tuser  -w '<ldap_bind_password_for_tuser>' -c "select authentication_method from sessions"

    Hope this helps
  • Thank you so much. Since I need to add many users do I user a variable such as "samaccountname" for "tuser" in the Alter Authentication statement?
  • Vertica will construct the binddn using the binddn_prefix, username, and binddn_suffix, and then attempt to bind to the ldap server using the binddn.

    (I am not sure how your DNs are constructed, or if using the samaccountname instead on the CN will result in a valid DN that will bind. use ldapsearch to validate that).

    If you want to use samaccountname (or any other attribute for that matter), maybe you look at ldap search based authentication method.
  • Thanks again.

    Is "tuser" a variable that will hold each username as a value when the user logs in or do I have to do this for each user when I add him/her to the database?


  • tuser is the actual username the client uses to login. (see vsql command in example)
  • Thanks. This is what I assumed. We have a few hundred users so we are hoping that we could use a variable so that we don't have to execute the Alter Authentication statement multiple times.  
  • I am still getting the error:    LDAP authentication failed for user ***********

    I am doing the following:

    ALTER AUTHENTICATION v_ldap1 SET binddn_prefix='cn=', binddn_suffix=',dc=modelo,dc=gmodelo,dc=com,dc=mx';

    Grant Authentication v_ldap1 to H0011521;

    I am wondering if I would be more successful with bind and search.

    Thanks for your help.

  • 1. can you tell me what you seen in the vertica logs.

    2. is this a valid DN, that you can bind to using ldapsearch?

  • i suppose you should provide host, basedn parameters while altering authentication. host is provided as ldap://<host>.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file