We're Moving!

The Vertica Forum is moving to a new OpenText Analytics Database (Vertica) Community.

Join us there to post discussion topics, learn about

product releases, share tips, access the blog, and much more.

Create My New Community Account Now


LDAP LINK AUTHENTICATION — Vertica Forum

LDAP LINK AUTHENTICATION

SathyaSathya Vertica Customer
in General Discussion

The LDAP search worked fine
ldapsearch -h vertica.com -D 'CN=Sathya S,CN=Users,DC=test,DC=mapshc,DC=com' -w 'xxxxxxxx' -b 'CN=users,dc=test,dc=mapshc,dc=com' '(&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))' samaccountname

extended LDIF

#

LDAPv3

base <CN=users,dc=test,dc=mapshc,dc=com> with scope subtree

filter: (&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))

requesting: samaccountname

#

Sathya S, Users, test.mapshc.com

dn: CN=Sathya S,CN=Users,DC=test,DC=mapshc,DC=com
sAMAccountName: sathyas

Nagavelan K, Users, test.mapshc.com

dn: CN=Nagavelan K,CN=Users,DC=test,DC=mapshc,DC=com
sAMAccountName: nagavelank

search result

search: 2
result: 0 Success

ALTER DATABASE db_name SET PARAMETER
LDAPLinkDryRun=1,
LDAPLinkURL='ldap://vertica.com',
LDAPLinkSearchBase='CN=Users,DC=test,DC=mapshc,DC=com',
LDAPLinkBindDN='CN=Sathya S,CN=users,dc=test,dc=mapshc,dc=com',
LDAPLinkBindPswd='xxxxxx',
LDAPLinkFilterGroup='(objectClass=group)',
LDAPLinkFilterUser='(objectClass=user)',
LDAPLinkGroupName='CN=VerticaDBA',
LDAPLinkGroupMembers='member',
LDAPLinkUserName='sAMAccountName',
LDAPLinkOn=1;
SELECT LDAP_LINK_SYNC_START();

This worked fine too
SELECT transaction_id, event_type, entry_name, entry_oid FROM ldap_link_events;
transaction_id | event_type | entry_name | entry_oid
-------------------+-----------------------+------------+-----------
45035996317957893 | SYNC_STARTED | ---------- | 0
45035996317957893 | SYNC_FINISHED | | 0
45035996317957893 | SYNC_DRY_RUN_FINISHED | ********** | 0

But the username/group doesn't get replicated in Vertica not sure why ? Any ideas

Answers

  • SruthiASruthiA Administrator

    Upon quick review it looks like there is an issue with LDAPLinkBindDN, please dont include CN=Sathya. Try setting LDAPLinkSearchBase to DC=mapshc,DC=com and try running LDAP dry run search mentioned in the below link. Once it is done query LDAP_LINK_DRYRUN_EVENTS to see if you can find the group and corresponding user in the SQL output.

    https://www.vertica.com/docs/9.3.x/HTML/Content/Authoring/SQLReferenceManual/Functions/VerticaFunctions/LDAP_LINK_DRYRUN_SEARCH.htm

    Please review the below best practices link which has detailed info on setting up LDAP

    https://www.vertica.com/kb/LDAP-Authentication-Best-Practices/Content/BestPractices/LDAP-Authentication-Best-Practices.htm

  • SathyaSathya Vertica Customer

    Hi , Thanks for the reply I will check but I forgot to mention that I use Vertica 9.2 and not vertica 9.3. In fact I followed the best practices document mentioned by you. I did the changes for LDAPLinkSearchBase and LDAPLinkBindDN
    ALTER DATABASE medicaid SET PARAMETER
    LDAPLinkURL='ldap://mapststdmc01.test.mapshc.com',
    LDAPLinkSearchBase='DC=mapshc,DC=com',
    LDAPLinkBindDN='CN=users,dc=test,dc=mapshc,dc=com',
    LDAPLinkBindPswd='Password2020',
    LDAPLinkFilterGroup='(objectClass=group)',
    LDAPLinkFilterUser='(objectClass=user)',
    LDAPLinkGroupName='CN=VerticaDBA',
    LDAPLinkGroupMembers='member',
    LDAPLinkUserName='sAMAccountName',
    LDAPLinkOn=1;
    SELECT LDAP_LINK_SYNC_START();
    It ran successfully but the users/group still doesn't get synchronised

  • SruthiASruthiA Administrator

    Can you try modifying few LDAP Parameters as follows and run the sync?

    LDAPLinkGroupName='sAMAccountName',
    LDAPLinkFilterGroup='(&(objectClass=group)(cn=Verticadba))',
    LDAPLinkFilterUser='(&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))',

  • SathyaSathya Vertica Customer

    Hi , Tried the option but it did not work
    Also ,one more observation was that if I don't use CN=Sathya S in LDAPLinkBindDN then the sync doesn't run (neither does it throw any error) and in LDAPLinkSearchBase if I set it to only DC=mapshc,DC=com then teh sync fails and the failure is recorded in the table ldap_link_events.
    ALTER DATABASE medicaid SET PARAMETER
    LDAPLinkURL='ldap://mapststdmc01.test.mapshc.com',
    LDAPLinkSearchBase='CN=users,DC=test,DC=mapshc,DC=com',
    LDAPLinkBindDN='CN=Sathya S,CN=users,dc=test,dc=mapshc,dc=com',
    LDAPLinkBindPswd='Password2020',
    LDAPLinkFilterGroup='(&(objectClass=group)(cn=Verticadba))',
    LDAPLinkFilterUser='(&(objectClass=user)(cn=*)(memberof=CN=Verticadba,CN=users,dc=test,dc=mapshc,dc=com))',
    LDAPLinkGroupName='sAMAccountName',
    LDAPLinkGroupMembers='member',
    LDAPLinkUserName='sAMAccountName',
    LDAPLinkOn=1;
    SELECT LDAP_LINK_SYNC_START();

  • SruthiASruthiA Administrator

    Could you please open a support case. It looks like it requires reviewing the logs

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Emoji
:):D:(;):/:o:s:p:'(:|B):#:*<3o:)>:)
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home General DiscussionComment As ...