LDAP Integration

I have some trouble getting the AD user onboarding into Vertica

LDAP SEARCH works fine
ldapsearch -xLLL -H ldap://ldaphostip:389 -D "username@abc.bca.corp.com" -W -b "DC=abc,DC=bca,DC=corp,DC=com" '(&(samAccountName=username))'

I do see proper bind info
dbadmin=> SELECT * FROM client_auth_params;

45035996277634976 | v_ldap_bind | host | ldap://10.0.1.84/
45035996277634976 | v_ldap_bind | basedn | DC=abc,DC=bca,DC=corp,DC=com
45035996277634976 | v_ldap_bind | binddn_prefix | cn=username
45035996277634976 | v_ldap_bind | binddn_suffix | ,OU=C360ProdEnv,DC=abc,DC=bca,DC=corp,DC=com

vsql: FATAL 2248: Authentication failed for username "username"

*username is just to hide identity.

Any thoughts ?Why it doesn't work

Comments

  • Jim_KnicelyJim_Knicely - Select Field - Administrator

    Can you post the results of the following queries?

    SELECT * FROM client_auth;
    SELECT object_name, grantee FROM grants WHERE object_type = 'CLIENTAUTHENTICATION';
    SELECT user_name, ldap_dn FROM users WHERE user_name = 'YOUR USERNAME';
    
  • edited February 2018

    [1]

    SELECT * FROM client_auth;
    auth_oid | auth_name | is_auth_enabled | auth_host_type | auth_host_address | auth_method | auth_parameters | auth_priority
    -------------------+------------------------+-----------------+----------------+-------------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------+---------------
    45035996276037072 | ldap_auth | True | HOST | 0.0.0.0/0 | LDAP | | 0
    45035996276037526 | h1 | True | LOCAL | | HASH | | 0
    45035996276037658 | vertica_ad | True | HOST | 0.0.0.0/0 | LDAP | host=ldap://ipaddress/, basedn=DC=abc,DC=bca,DC=corp,DC=com, binddn_prefix=cn=, binddn_suffix=,ou=ProdEnv,dc=abc,dc=bca,dc=corp,dc=com | 0
    45035996276364356 | v_dbadmin_hash_network | True | HOST | 0.0.0.0/0 | HASH | | 0
    45035996277637640 | v_ldap_bind | True | HOST | ipaddress | LDAP | host=ldap://ipaddress/, basedn=DC=abc,DC=bca,DC=corp,DC=com, binddn_prefix=cn=, binddn_suffix=,OU=ProdEnv,DC=abc,DC=bca,DC=corp,DC=com | 0
    (5 rows)

    [2]
    SELECT object_name, grantee FROM grants WHERE object_type = 'CLIENTAUTHENTICATION';
    object_name | grantee
    ------------------------+-----------------
    h1 | role2
    vertica_ad | vertica_ad_role
    vertica_ad | ldap_auth_role
    vertica_ad | vertica
    v_dbadmin_hash_network | dbadmin
    ldap_auth | ldap_auth_role
    vertica_ad | myname
    v_ldap_bind | myname
    v_ldap_bind | public

    [3]
    dbadmin=> SELECT user_name, ldap_dn FROM users WHERE user_name = 'myname';
    user_name | ldap_dn
    --------------+---------
    myname|

  • any thoughts ?

  • Jim any other insights

  • Jim_KnicelyJim_Knicely - Select Field - Administrator

    For the authentication record "v_ldap_bind" you have:

    binddn_suffix=,OU=ProdEnv,DC=abc,DC=bca,DC=corp,DC=com

    Is the "ProdEnv" needed? It wasn't used in your original ldap search.

  • 45035996277637640 | v_ldap_bind | binddn_suffix | DC=aws,DC=sea,DC=samsung,DC=com

    i modified the auth, still same error

    vsql: FATAL 2248: Authentication failed for username "a2.bhatnagar"

  • any other thoughts?

  • folks -i'm stuck and not able to proceed.
    any other pointers

  • Jim_KnicelyJim_Knicely - Select Field - Administrator
    edited February 2018

    Hi @ankit0007smart ,

    Can you email me directly the exact out put (no data hiding) of the following?

    Result of your LDAP search (using the specific user):
    ldapsearch -xLLL -H ldap://ldaphostip:389 -D "username@abc.bca.corp.com" -W -b "DC=abc,DC=bca,DC=corp,DC=com" '(&(samAccountName=username))'

    Results of queries in Vertica:

    SELECT * FROM client_auth;
    SELECT * FROM client_auth_params;
    SELECT * FROM user_client_auth;
    SELECT object_name, grantee FROM grants WHERE object_type = 'CLIENTAUTHENTICATION';

    Email: james.knicely@microfocus.com

  • thanks James, this works after enabling the anonymous access on AD.

  • Jim_KnicelyJim_Knicely - Select Field - Administrator

    AWESOME!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file