Yes, the "ClientAuthentication" string is set in the vertica.conf file via AdminTools. To get there in Admintools:
1. /opt/vertica/bin/admintools 2. Configuration Menu 3. Edit Authentication 4. Select the database 5. Enter your authentication string 6. Save the changes 7. Restart your database for the changes to take place
It is up to you on how you want to setup your environment. From the example in the documentation, yours would be (using dbadmin as a username in the example):
ClientAuthentication = host dbadmin <IP address of the host1>/32 reject
ClientAuthentication = host dbadmin <IP address of another host2>/32 trust
ClientAuthentication = host dbadmin <IP address of third host3>/32 trust
ClientAuthentication = host all 0.0.0.0/0 password
ClientAuthentication = local all password
The first two records apply only to the user dbadmin. If dbadmin attempts to connect from <IP address of the host1>, the first record is used to authenticate the user, which rejects the connection attempt. If dbadmin attempts to connect from <IP address of the host2>, the user is allowed to connect automatically. If dbadmin attempts to log in from any other remote system, the third record matches, and the user must enter a password. Finally, if the user attempts to connect locally from a node in the cluster, the fourth record applies, and the user again has to enter a password to authenticate. For all other users, the third and fourth record are used to authenticate them using password authentication. The first two records are ignored, since their user name doesn't match the name in the record.
The ordering of the records is important. If the order of the records were reversed, so that the wildcard rule was first, the rules that are specific to dbadmin would never be used. The wildcard or local rule would always match, and HP Vertica would use the password authentication, no matter where dbadmin connected from.
We see that you're a Vertica customer. If you need further assistance with the setup, we suggest you open a case with Technical Support and we'll be happy to assist you.
Comments
What version of Vertica are you trying to integrate with LDAP? I will post a documentation link once I have this information.
Thanks!
Rory
Thanks,
Sang
Thanks for the Vertica version! As a heads up, our 6.1.x Online Documentation can be searched at the following link:
https://my.vertica.com/docs/6.1.x/HTML/index.htm
We outline the steps for configuring LDAP at the following link:
https://my.vertica.com/docs/6.1.x/HTML/index.htm#18816.htm
Thanks,
Rory
So, simply put the "ClientAuthentication" to vertica.conf file over the all vertica db servers?
Could you give me some brief steps to configure it?
Thanks,
Sang
Yes, the "ClientAuthentication" string is set in the vertica.conf file via AdminTools. To get there in Admintools:
1. /opt/vertica/bin/admintools
2. Configuration Menu
3. Edit Authentication
4. Select the database
5. Enter your authentication string
6. Save the changes
7. Restart your database for the changes to take place
Additional information is located at: https://my.vertica.com/docs/6.1.x/HTML/index.htm#10959.htm
Thanks,
Rory
I appreciate you for the response. I will try it on my database.
Thanks,
Sang
You're welcome. Good luck with the implementation!
Thanks,
Rory
ClientAuthentication = host all 10.0.0.0/8 ldap "ldap://ldap.example.com/basedn;cn=;,dc=example,dc=com" from docutment.
Thanks,
Sang
Example authentications are available here:
https://my.vertica.com/docs/6.1.x/HTML/index.htm#11050.htm
Thanks,
Rory
Please don't link the document and modify the the example with my db servers. Document you link makes me more confused.
Thanks,
Sang
It is up to you on how you want to setup your environment. From the example in the documentation, yours would be (using dbadmin as a username in the example):
ClientAuthentication = host dbadmin <IP address of the host1>/32 reject
ClientAuthentication = host dbadmin <IP address of another host2>/32 trust
ClientAuthentication = host dbadmin <IP address of third host3>/32 trust
ClientAuthentication = host all 0.0.0.0/0 password
ClientAuthentication = local all password
The first two records apply only to the user dbadmin. If dbadmin attempts to connect from <IP address of the host1>, the first record is used to authenticate the user, which rejects the connection attempt. If dbadmin attempts to connect from <IP address of the host2>, the user is allowed to connect automatically. If dbadmin attempts to log in from any other remote system, the third record matches, and the user must enter a password. Finally, if the user attempts to connect locally from a node in the cluster, the fourth record applies, and the user again has to enter a password to authenticate. For all other users, the third and fourth record are used to authenticate them using password authentication. The first two records are ignored, since their user name doesn't match the name in the record.
The ordering of the records is important. If the order of the records were reversed, so that the wildcard rule was first, the rules that are specific to dbadmin would never be used. The wildcard or local rule would always match, and HP Vertica would use the password authentication, no matter where dbadmin connected from.
We see that you're a Vertica customer. If you need further assistance with the setup, we suggest you open a case with Technical Support and we'll be happy to assist you.
Thanks,
Rory