LDAP authentication

The LDAP authentication method differs from the local authentication method in that Netezza uses the user name and password that is stored on the LDAP server to authenticate the user.

Following successful LDAP authentication, the Netezza Performance Server system also confirms that the user account is defined on the Netezza Performance Server system. The LDAP administrator is responsible for adding and managing the user accounts and passwords and deactivating accounts on the LDAP server.

The Netezza Performance Server administrator must ensure that each Netezza Performance Server user is also defined within the Netezza Performance Server system catalog. The Netezza Performance Server user names must match the user names that are defined in the LDAP server. If the user names do not match, the Netezza Performance Server administrator should use the ALTER USER command to change the user name to match the LDAP user name, or contact the LDAP administrator to change the LDAP user name.

Keep in mind the following characteristics of LDAP authentication:
  • After the LDAP authentication process completes successfully, the Netezza Performance Server system looks up the user in the system catalog. The system displays an error message if it does not find the user, and it terminates the session.
  • If authentication fails, you see the message LDAP authentication failed. The system notes the reason for the failure in the /nz/kit/log/postgres/pg.log file.
  • Netezza Performance Server users should not notice any difference between LDAP and local authentication.
  • When you CREATE or ALTER a user account, a password is not required if you use LDAP authentication. (Local authentication continues to require a password for user accounts.)

To use LDAP authentication, you use the SET AUTHENTICATION command to select LDAP authentication and specify the necessary configuration parameters. The command requires some information about the LDAP server, such as server name or IP address and some LDAP server configuration settings. The SET AUTHENTICATION command is described in detail in SET AUTHENTICATION.

Certified scenarios

  • OpenLDAP - with SSL OFF
  • OpenLDAP - with SSL ON and without CA certificate
  • OpenLDAP - with SSL ON and with CA Certificate
  • Windows AD server - failover
  • Windows AD 2016 - with SSL OFF
  • Windows AD 2016 - with SSL ON , without CA certificate
  • Windows AD 2016 - with SSL ON, with CA certificate
Note: LDAP is certified with Windows Active Directory 2007, but Windows 2007 already reached its EOL.