LDAP automatic refresh

Sathya

Here is my LDAP automatic refresh setup
SELECT parameter_name,current_value FROM CONFIGURATION_PARAMETERS WHERE PARAMETER_NAME ILIKE '%LDAP%' order by 1;
parameter_name | current_value
-------------------------+------------------------------------------------------------------------------------
LDAPLinkBindDN | CN=Sathya,CN=users,dc=demo,dc=mapshc,dc=com
LDAPLinkBindPswd | xxxxxxxxxxxx
LDAPLinkConfigFile |
LDAPLinkConflictPolicy | MERGE
LDAPLinkDryRun | 0
LDAPLinkFilterGroup | (&(objectClass=group)(cn=Vertica))
LDAPLinkFilterUser | (&(objectClass=user)(cn=*)(memberof=CN=Vertica,CN=users,dc=demo,dc=mapshc,dc=com))
LDAPLinkFirstInterval | 120
LDAPLinkGroupMembers | member
LDAPLinkGroupName | sAMAccountName
LDAPLinkInterval | 86400
LDAPLinkOn | 1
LDAPLinkRetryInterval | 10
LDAPLinkRetryNumber | 10
LDAPLinkScope | sub
LDAPLinkSearchBase | CN=users,DC=demo,DC=mapshc,DC=com
LDAPLinkSearchTimeout | 10
LDAPLinkStartTLS | 0
LDAPLinkStopIfZeroUsers | 1
LDAPLinkTLSCACert |
LDAPLinkTLSCADir |
LDAPLinkTLSReqCert | allow
LDAPLinkURL | ldap://mapsdemodmc01.demo.mapshc.com
LDAPLinkUserName | sAMAccountName

Here is my LDAP Search
[dbadmin@mapsdemodbv01-clone1 ~]$ ldapsearch -h mapsdemodmc01.demo.mapshc.com -D 'CN=Sathya,CN=users,dc=demo,dc=mapshc,dc=com' -w 'xxxxxxxxx' -b 'CN=users,dc=demo,dc=mapshc,dc=com' '(&(objectClass=group)(cn=Vertica))'

extended LDIF

#

LDAPv3

base <CN=users,dc=demo,dc=mapshc,dc=com> with scope subtree

filter: (&(objectClass=group)(cn=Vertica))

requesting: ALL

#

Vertica, Users, demo.mapshc.com

dn: CN=Vertica,CN=Users,DC=demo,DC=mapshc,DC=com
objectClass: top
objectClass: group
cn: Vertica
member: CN=Sathya,CN=Users,DC=demo,DC=mapshc,DC=com
member: CN=Nagavelan,CN=Users,DC=demo,DC=mapshc,DC=com
member: CN=Vertica,CN=Users,DC=demo,DC=mapshc,DC=com
distinguishedName: CN=Vertica,CN=Users,DC=demo,DC=mapshc,DC=com
instanceType: 4
whenCreated: 20200729122533.0Z
whenChanged: 20200730085002.0Z
uSNCreated: 3040277
memberOf: CN=Vertica,CN=Users,DC=demo,DC=mapshc,DC=com
uSNChanged: 3045083
name: Vertica
objectGUID:: p1JQuzjA60WNm4QYqrpdJg==
objectSid:: AQUAAAAAAAUVAAAAW0KXzQEWqlGX26jmQwcAAA==
sAMAccountName: VerticaDBA
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=demo,DC=mapshc,DC=com
dSCorePropagationData: 16010101000000.0Z

search result

search: 2
result: 0 Success

Here is the output of LDAP_LINK_EVENTS

select event_timestamp,node_name,user_name,event_type,entry_name,entry_oid from LDAP_LINK_EVENTS;
2020-08-03 05:56:01.18283-04 | v_medicaid_node0001 | dbadmin | USER_CREATED | Nagavelan | 45035996326589798
2020-08-03 05:56:01.182902-04 | v_medicaid_node0001 | dbadmin | USER_CREATED | Sathya | 45035996326589802
2020-08-03 05:56:01.183032-04 | v_medicaid_node0001 | dbadmin | ROLE_CREATED | VerticaDBA | 45035996326589806
2020-08-03 06:33:51.824345-04 | v_medicaid_node0001 | dbadmin | SYNC_STARTED | ---------- | 0
2020-08-03 06:33:51.828463-04 | v_medicaid_node0001 | dbadmin | SYNC_FINISHED | | 0
2020-08-03 06:33:51.829147-04 | v_medicaid_node0001 | dbadmin | PROCESSING_STARTED | | 0
2020-08-03 06:33:51.829346-04 | v_medicaid_node0001 | dbadmin | USER_CREATED | Nagavelan | 45035996326589878
2020-08-03 06:33:51.829419-04 | v_medicaid_node0001 | dbadmin | USER_CREATED | Sathya | 45035996326589882
2020-08-03 06:33:51.82956-04 | v_medicaid_node0001 | dbadmin | ROLE_CREATED | VerticaDBA | 45035996326589886

Based on the table it clearly indicates that the users/role were created but it did not happen.Any idea as what could be the issue? The Dry run is set to 0 also

Bryan_H

What version of Vertica is this? This will help us track version-specific setups.
Are the users not listed in V_CATALOG.USERS table? Or if they are, is the LDAP_DN field blank?
Could you check vertica.log for any detail error messages that were not listed in LDAP_LINK_EVENTS? (Older versions of Vertica may also list a separate log file for LDAP sync)

Sathya

We use Vertica 9.2.x ..Yes the users and group are not listed in users and roles table .There is no records in them.
Pasting the details from vertica log at a particular time when the LDAP refresh was successful but the user/role was not reflected
2020-08-03 05:56:01.149 Init Session:0x7f53987f8700-a000000045ea2c [Session] [Query] TX:a000000045ea2c(v_medicaid_node0001-15719:0x513a1) SELECT LDAP_LINK_SYNC_START();
2020-08-03 05:56:01.157 Init Session:0x7f53987f8700-a000000045ea2c [Util] Task 'LDAPLinkService' enabled
2020-08-03 05:56:01.157 LDAPLinkService:0x7f538ffff700 [Basics] LDAPLink Service: this is clerk. Will run on this node - v_medicaid_node0001.
2020-08-03 05:56:01.158 LDAPLinkService:0x7f538ffff700 @v_medicaid_node0001: 00000/6304: LDAP initialized on server ldap://mapsdemodmc01.demo.mapshc.com
2020-08-03 05:56:01.169 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Txn] Begin Txn: a000000045ea2e 'LDAP Link service'
2020-08-03 05:56:01.175 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Basics] Equivalent ldapsearch command (non-TLS format, with paging): ldapsearch -LLL -x -H 'ldap://mapsdemodmc01.demo.mapshc.com' -D 'CN=Sathya,CN=users,dc=demo,dc=mapshc,dc=com' -w '*****' -b 'CN=users,DC=demo,DC=mapshc,DC=com' -s 'sub' '(&(objectClass=group)(cn=Vertica))' 'sAMAccountName' 'sAMAccountName' 'member'
2020-08-03 05:56:01.175 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Basics] Equivalent ldapsearch command (non-TLS format, with paging): ldapsearch -LLL -x -H 'ldap://mapsdemodmc01.demo.mapshc.com' -D 'CN=Sathya,CN=users,dc=demo,dc=mapshc,dc=com' -w '*****' -b 'CN=users,DC=demo,DC=mapshc,DC=com' -s 'sub' '(&(objectClass=user)(cn=)(memberof=CN=Vertica,CN=users,dc=demo,dc=mapshc,dc=com))' 'sAMAccountName' 'sAMAccountName' 'member'
2020-08-03 05:56:01.178 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Basics] LDAPLink ((&(objectClass=group)(cn=Vertica))): search returned 1 entries.
2020-08-03 05:56:01.181 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Basics] LDAPLink ((&(objectClass=user)(cn=)(memberof=CN=Vertica,CN=users,dc=demo,dc=mapshc,dc=com))): search returned 2 entries.
2020-08-03 05:56:01.182 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Basics] LDAPLink: processing users.
2020-08-03 05:56:01.182 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Basics] LDAPLink: processing roles.
2020-08-03 05:56:01.213 LDAPLinkService:0x7f538ffff700-a000000045ea2e [Txn] Rollback Txn: a000000045ea2e 'LDAP Link service'
2020-08-03 05:56:01.220 LDAPLinkService:0x7f538ffff700 @v_medicaid_node0001: 00000/3298: Event Posted: Event Code:14 Event Id:16934656 Event Severity: Warning [4] PostedTimestamp: 2020-08-03 05:56:01.220029 ExpirationTimestamp: 2020-08-03 05:56:16.220029 EventCodeDescription: Timer Service Task Error ProblemDescription: threadShim: Circular assignation of roles is not allowed DatabaseName: medicaid Hostname: mapsdemodbv01-clone1

SruthiA

@Sathya It looks like you have circular groups in your LDAP Server which is what causing the issue. Can you check with your LDAP Admin as in why you have circular dependency? Please fix the circular dependency issue in your LDAP Server and try Ldap Sync again.

2020-08-03 05:56:01.220 LDAPLinkService:0x7f538ffff700 @v_medicaid_node0001: 00000/3298: Event Posted: Event Code:14 Event Id:16934656 Event Severity: Warning [4] PostedTimestamp: 2020-08-03 05:56:01.220029 ExpirationTimestamp: 2020-08-03 05:56:16.220029 EventCodeDescription: Timer Service Task Error ProblemDescription: threadShim: Circular assignation of roles is not allowed DatabaseName: medicaid Hostname: mapsdemodbv01-clone1

Bryan_H

The final error "Circular assignation of roles is not allowed" suggests there is an existing role name "VerticaDBA" or including "VerticaDBA" in the existing grants, are there any roles defined in V_CATALOG.ROLES?

Sathya

@SruthiA thanks a lot , I worked with LDAP admin and got the group recreated and it worked but still could not get what the error circular groups about?

SruthiA

@Sathya Good to know that it worked. It is a known issue which we will fixed in future versions of vertica. Please open a support case. we will be able to provide more details.