LDAP Integration

ankit0007smart

I have some trouble getting the AD user onboarding into Vertica

LDAP SEARCH works fine
ldapsearch -xLLL -H ldap://ldaphostip:389 -D "username@abc.bca.corp.com" -W -b "DC=abc,DC=bca,DC=corp,DC=com" '(&(samAccountName=username))'

I do see proper bind info
dbadmin=> SELECT * FROM client_auth_params;

45035996277634976 | v_ldap_bind | host | ldap://10.0.1.84/
45035996277634976 | v_ldap_bind | basedn | DC=abc,DC=bca,DC=corp,DC=com
45035996277634976 | v_ldap_bind | binddn_prefix | cn=username
45035996277634976 | v_ldap_bind | binddn_suffix | ,OU=C360ProdEnv,DC=abc,DC=bca,DC=corp,DC=com

vsql: FATAL 2248: Authentication failed for username "username"

*username is just to hide identity.

Any thoughts ?Why it doesn't work

Jim_Knicely

Can you post the results of the following queries?

SELECT * FROM client_auth;
SELECT object_name, grantee FROM grants WHERE object_type = 'CLIENTAUTHENTICATION';
SELECT user_name, ldap_dn FROM users WHERE user_name = 'YOUR USERNAME';

ankit0007smart

[1]

SELECT * FROM client_auth;
auth_oid | auth_name | is_auth_enabled | auth_host_type | auth_host_address | auth_method | auth_parameters | auth_priority
-------------------+------------------------+-----------------+----------------+-------------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------+---------------
45035996276037072 | ldap_auth | True | HOST | 0.0.0.0/0 | LDAP | | 0
45035996276037526 | h1 | True | LOCAL | | HASH | | 0
45035996276037658 | vertica_ad | True | HOST | 0.0.0.0/0 | LDAP | host=ldap://ipaddress/, basedn=DC=abc,DC=bca,DC=corp,DC=com, binddn_prefix=cn=, binddn_suffix=,ou=ProdEnv,dc=abc,dc=bca,dc=corp,dc=com | 0
45035996276364356 | v_dbadmin_hash_network | True | HOST | 0.0.0.0/0 | HASH | | 0
45035996277637640 | v_ldap_bind | True | HOST | ipaddress | LDAP | host=ldap://ipaddress/, basedn=DC=abc,DC=bca,DC=corp,DC=com, binddn_prefix=cn=, binddn_suffix=,OU=ProdEnv,DC=abc,DC=bca,DC=corp,DC=com | 0
(5 rows)

[2]
SELECT object_name, grantee FROM grants WHERE object_type = 'CLIENTAUTHENTICATION';
object_name | grantee
------------------------+-----------------
h1 | role2
vertica_ad | vertica_ad_role
vertica_ad | ldap_auth_role
vertica_ad | vertica
v_dbadmin_hash_network | dbadmin
ldap_auth | ldap_auth_role
vertica_ad | myname
v_ldap_bind | myname
v_ldap_bind | public

[3]
dbadmin=> SELECT user_name, ldap_dn FROM users WHERE user_name = 'myname';
user_name | ldap_dn
--------------+---------
myname|

ankit0007smart

any thoughts ?

ankit0007smart

Jim any other insights

Jim_Knicely

For the authentication record "v_ldap_bind" you have:

binddn_suffix=,OU=ProdEnv,DC=abc,DC=bca,DC=corp,DC=com

Is the "ProdEnv" needed? It wasn't used in your original ldap search.

ankit0007smart

45035996277637640 | v_ldap_bind | binddn_suffix | DC=aws,DC=sea,DC=samsung,DC=com

i modified the auth, still same error

vsql: FATAL 2248: Authentication failed for username "a2.bhatnagar"

ankit0007smart

any other thoughts?

ankit0007smart

folks -i'm stuck and not able to proceed.
any other pointers

Jim_Knicely

Hi @ankit0007smart ,

Can you email me directly the exact out put (no data hiding) of the following?

Result of your LDAP search (using the specific user):
ldapsearch -xLLL -H ldap://ldaphostip:389 -D "username@abc.bca.corp.com" -W -b "DC=abc,DC=bca,DC=corp,DC=com" '(&(samAccountName=username))'

Results of queries in Vertica:

SELECT * FROM client_auth;
SELECT * FROM client_auth_params;
SELECT * FROM user_client_auth;
SELECT object_name, grantee FROM grants WHERE object_type = 'CLIENTAUTHENTICATION';

Email: james.knicely@microfocus.com

ankit0007smart

thanks James, this works after enabling the anonymous access on AD.

Jim_Knicely

AWESOME!