LDAP LINK AUTHENTICATION

SathyaSathya Vertica Customer
in General Discussion

The LDAP search worked fine
ldapsearch -h vertica.com -D 'CN=Sathya S,CN=Users,DC=test,DC=mapshc,DC=com' -w 'xxxxxxxx' -b 'CN=users,dc=test,dc=mapshc,dc=com' '(&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))' samaccountname

extended LDIF

#

LDAPv3

base <CN=users,dc=test,dc=mapshc,dc=com> with scope subtree

filter: (&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))

requesting: samaccountname

#

Sathya S, Users, test.mapshc.com

dn: CN=Sathya S,CN=Users,DC=test,DC=mapshc,DC=com
sAMAccountName: sathyas

Nagavelan K, Users, test.mapshc.com

dn: CN=Nagavelan K,CN=Users,DC=test,DC=mapshc,DC=com
sAMAccountName: nagavelank

search result

search: 2
result: 0 Success

ALTER DATABASE db_name SET PARAMETER
LDAPLinkDryRun=1,
LDAPLinkURL='ldap://vertica.com',
LDAPLinkSearchBase='CN=Users,DC=test,DC=mapshc,DC=com',
LDAPLinkBindDN='CN=Sathya S,CN=users,dc=test,dc=mapshc,dc=com',
LDAPLinkBindPswd='xxxxxx',
LDAPLinkFilterGroup='(objectClass=group)',
LDAPLinkFilterUser='(objectClass=user)',
LDAPLinkGroupName='CN=VerticaDBA',
LDAPLinkGroupMembers='member',
LDAPLinkUserName='sAMAccountName',
LDAPLinkOn=1;
SELECT LDAP_LINK_SYNC_START();

This worked fine too
SELECT transaction_id, event_type, entry_name, entry_oid FROM ldap_link_events;
transaction_id | event_type | entry_name | entry_oid
-------------------+-----------------------+------------+-----------
45035996317957893 | SYNC_STARTED | ---------- | 0
45035996317957893 | SYNC_FINISHED | | 0
45035996317957893 | SYNC_DRY_RUN_FINISHED | ********** | 0

But the username/group doesn't get replicated in Vertica not sure why ? Any ideas

Answers

  • SruthiASruthiA Administrator

    Upon quick review it looks like there is an issue with LDAPLinkBindDN, please dont include CN=Sathya. Try setting LDAPLinkSearchBase to DC=mapshc,DC=com and try running LDAP dry run search mentioned in the below link. Once it is done query LDAP_LINK_DRYRUN_EVENTS to see if you can find the group and corresponding user in the SQL output.

    https://www.vertica.com/docs/9.3.x/HTML/Content/Authoring/SQLReferenceManual/Functions/VerticaFunctions/LDAP_LINK_DRYRUN_SEARCH.htm

    Please review the below best practices link which has detailed info on setting up LDAP

    https://www.vertica.com/kb/LDAP-Authentication-Best-Practices/Content/BestPractices/LDAP-Authentication-Best-Practices.htm

  • SathyaSathya Vertica Customer

    Hi , Thanks for the reply I will check but I forgot to mention that I use Vertica 9.2 and not vertica 9.3. In fact I followed the best practices document mentioned by you. I did the changes for LDAPLinkSearchBase and LDAPLinkBindDN
    ALTER DATABASE medicaid SET PARAMETER
    LDAPLinkURL='ldap://mapststdmc01.test.mapshc.com',
    LDAPLinkSearchBase='DC=mapshc,DC=com',
    LDAPLinkBindDN='CN=users,dc=test,dc=mapshc,dc=com',
    LDAPLinkBindPswd='Password2020',
    LDAPLinkFilterGroup='(objectClass=group)',
    LDAPLinkFilterUser='(objectClass=user)',
    LDAPLinkGroupName='CN=VerticaDBA',
    LDAPLinkGroupMembers='member',
    LDAPLinkUserName='sAMAccountName',
    LDAPLinkOn=1;
    SELECT LDAP_LINK_SYNC_START();
    It ran successfully but the users/group still doesn't get synchronised

  • SruthiASruthiA Administrator

    Can you try modifying few LDAP Parameters as follows and run the sync?

    LDAPLinkGroupName='sAMAccountName',
    LDAPLinkFilterGroup='(&(objectClass=group)(cn=Verticadba))',
    LDAPLinkFilterUser='(&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))',

  • SathyaSathya Vertica Customer

    Hi , Tried the option but it did not work
    Also ,one more observation was that if I don't use CN=Sathya S in LDAPLinkBindDN then the sync doesn't run (neither does it throw any error) and in LDAPLinkSearchBase if I set it to only DC=mapshc,DC=com then teh sync fails and the failure is recorded in the table ldap_link_events.
    ALTER DATABASE medicaid SET PARAMETER
    LDAPLinkURL='ldap://mapststdmc01.test.mapshc.com',
    LDAPLinkSearchBase='CN=users,DC=test,DC=mapshc,DC=com',
    LDAPLinkBindDN='CN=Sathya S,CN=users,dc=test,dc=mapshc,dc=com',
    LDAPLinkBindPswd='Password2020',
    LDAPLinkFilterGroup='(&(objectClass=group)(cn=Verticadba))',
    LDAPLinkFilterUser='(&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))',
    LDAPLinkGroupName='sAMAccountName',
    LDAPLinkGroupMembers='member',
    LDAPLinkUserName='sAMAccountName',
    LDAPLinkOn=1;
    SELECT LDAP_LINK_SYNC_START();

  • SruthiASruthiA Administrator

    Could you please open a support case. It looks like it requires reviewing the logs

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Emoji
:):D:(;):/:o:s:p:'(:|B):#:*<3o:)>:)
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home General DiscussionComment As ...