LDAP Link Question

Ryan_Fitch_1

I'm trying to use LDAP link for the first time and I'm having a hard time translating what works in my LDAP search into the SQL command. I need to be able to find people by CN that are members of a CN. Here is my ldapsearch

ldapsearch -xLLL -s sub -H ldap://host:port -D "LDVertica" -w bind_password -b "CN=VerticaAdmins NonProd,OU=Vertica,OU=DEV,OU=Groups - Application,DC=CITY,DC=COMPANY,DC=com" '(&(objectClass=group))' member

And here is the result
dn: CN=VerticaAdmins NonProd,OU=Vertica,OU=DEV,OU=Groups - Application,DC=CITY,
DC=COMPANY,DC=com
member: CN=user_name1,OU=UserAccounts,DC=CITY,DC=COMPANY,DC=com
member: CN=user_name2,OU=UserAccounts,DC=CITY,DC=COMPANY,DC=com

For the SQL statement, I can't see a way to tell LDAP link to look in members:

ALTER DATABASE vmartDB SET PARAMETER LDAPLinkURL='ldap://host:port',
LDAPLinkSearchBase='CN=VerticaAdmins NonProd,OU=Vertica,OU=DEV,OU=Groups - Application,DC=CITY,DC=COMPANY,DC=com',
LDAPLinkBindDN='CN=LDVertica,OU=LDAPAccounts,OU=ServiceAccounts,DC=CITY,DC=COMPANY,DC=com',
LDAPLinkBindPswd='bind_password',
LDAPLinkFilterGroup='(objectClass=group)';

I also don't see how to map my VerticaAdmins group to a role in Vertica. Any help would be appreciated.

Pratyush

Hi Ryan,

Imagine an ldapsearch command like the following, that returns only those LDAP user objects that you want to import into vertica as USERS:
ldapsearch -xLLL -s sub -H ldap://host:port -D "CN=LDVertica,OU=LDAPAccounts blahblah" -w bind_password -b "CN=VerticaAdmins blahblah" '(objectClass=user)'

Now imagine a separate ldapsearch command like the following, that returns only those LDAP group objects that you want to import into vertica as ROLES:
ldapsearch -xLLL -s sub -H ldap://host:port -D "CN=LDVertica,OU=LDAPAccounts blahblah" -w bind_password -b "CN=VerticaAdmins blahblah" '(objectClass=group)'

Additionally:

• assume that the LDAP user objects have their name in some attribute. eg 'uid', or 'samAccountName'. This should be the name you want to see as the vertica user's name.
• assume that the LDAP group objects have their name in some attribute, eg 'cn'. This should be the name you want to see as the vertica role's name.
• assume that the objects in the LDAP groups category have an attribute called 'member' which lists the DN of a single member of the group. This member can be from either the users or groups list returned above. This attribute can occur multiple times to list multiple members of this LDAP group. This mapping will be created in vertica as role grants.

With this in mind, your LDAPLink configuration would look like the following:

ALTER DATABASE vmartDB SET PARAMETER
LDAPLinkURL='ldap://host:port',
LDAPLinkSearchBase='CN=VerticaAdmins blahblah',
LDAPLinkBindDN='CN=LDVertica,OU=LDAPAccounts blahblah',
LDAPLinkBindPswd='bind_password',
LDAPLinkFilterUser='(objectClass=user)',
LDAPLinkUserName='uid',
LDAPLinkFilterGroup='(objectClass=group)',
LDAPLinkGroupName='cn',
LDAPLinkGroupMembers='member',
LDAPLinkOn=1;

SELECT ldap_link_sync_start(); -- this step runs the sync on demand, but it can also be omitted since LDAPLink is a service and will run automatically as well

After this, check the 'users' and 'roles' tables:

• The LDAP user objects returned by the specified user filter ( '(objectClass=user)' in our case) would have been created as users in vertica.
• The LDAP group objects returned by the specified group filter ( '(objectClass=group)' in our case) would have been created as roles in vertica.
• If any of the LDAP users or groups were members of another LDAP group returned above, they'll automatically be granted those roles.

You can also check the table 'LDAP_LINK_EVENTS' to see what events happened.

HTH