LDAP Authentication by using OPENLDAP
Learn how to configure SSL or TLS for LDAP authentication by using OPENLDAP.
For Netezza Performance Server 11.1.0.1 and lower
- Add the OPENLDAP users to Netezza Performance Server.
Define the password according to your password policy.create user <user> password <password>
Example:nzsql -c "create user oldap_user1 password 'password';"
- Set the authentication type.
SET AUTHENTICATION LDAP
- Set authentication to OPENLDAP with the SSL OFF
- Run the
command.
Where cn refers to the Common Name and dc to the Domain component.nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'OFF' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com'; "
- As the
root
user, update the /etc/sssd/sssd.conf file on the Netezza Performance Server host.You might have to manually change the lines in bold if they are not already set.[domain/external_ldap] ldap_tls_reqcert = never ldap_id_use_start_tls = False ldap_schema = rfc2307 #ignore_group_members = auth_provider = ldap id_provider = ldap ldap_rfc2307_fallback_to_local_users = True ldap_referrals = False ldap_id_mapping = False override_homedir = /home/%u ldap_network_timeout = 3 ldap_opt_timeout = 60 cache_credentials = True ldap_user_search_base = dc=example,dc=com entry_cache_group_timeout = 0 entry_cache_user_timeout = 0 ldap_search_timeout = 30 entry_cache_timeout = 600 ldap_default_bind_dn = cn=oldap_user1,cn=Users,dc=example,dc=com ldap_uri = ldap://<OPENLDAP_SERVER_FQDN_OR_IP>:389 #debug_level = 10 case_sensitive = False ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAQANEC2d5xigH0d4w9phf5F9zD4PvXWvxwz61LYsoQq5BM/M7WslokdqbS6CnOyTzGp4XmzCC7owRfYq8sALPYypoAAQID [sssd] services = nss, ifp, sudo, ssh, pam domains = external_ldap [nss] memcache_timeout = 600 homedir_substring = /home [pam] #debug_level = 10 [sudo] [autofs] [ssh] [pac] [ifp]
- As the
root
user, restart thesssd
service.systemctl restart sssd
- Run the
command.
- Set authentication to OPENLDAP with the SSL ONA certificate is issued to the OPENLDAP server by a trusted CA. Obtain the CA certificate file and save it on a location on the Netezza Performance Server system. For the Netezza Performance Server high availability (HA) systems, save the file in a location on the shared drive, such as a new directory under /nz. Both of the Netezza Performance Server nodes must be able to access the certificate file by using the same path name. Typically, the CA certificate has the pem. extension.
- Run the
command.
nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'ON' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com'; "
- As the
root
user, update the /etc/sssd/sssd.conf file on the Netezza Performance Server host manually.You might have to manually change the lines in bold if they are not already set.
- To connect to the OPENLDAP server over SSL, use this
configuration.
===========================/etc/sssd/sssd.conf============================= [domain/external_ldap] ldap_tls_reqcert = demand ldap_id_use_start_tls = False ldap_tls_cacert = /nz/caCert/ca_cert.pem ldap_schema = rfc2307 #ignore_group_members = auth_provider = ldap id_provider = ldap ldap_rfc2307_fallback_to_local_users = True ldap_referrals = False ldap_id_mapping = False override_homedir = /home/%u ldap_network_timeout = 3 ldap_opt_timeout = 60 cache_credentials = True ldap_user_search_base = dc=example,dc=com entry_cache_group_timeout = 0 entry_cache_user_timeout = 0 ldap_search_timeout = 30 entry_cache_timeout = 600 ldap_default_bind_dn = cn=oldap_user1,cn=Users,dc=example,dc=com ldap_uri = ldaps://< OPENLDAP_SERVER_FQDN_OR_IP >:636 #debug_level = 10 case_sensitive = False ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAQAEPSvINy7WB7Y5ULLHAgp9PNt9Ivdd5KZlp7DDzN7a+5wpRrq8dBoA4RonugOBXhxMA44TglOom7u4cqMBpFeoAAAQID [sssd] services = nss, ifp, sudo, ssh, pam domains = external_ldap [nss] memcache_timeout = 600 homedir_substring = /home [pam] #debug_level = 10 [sudo] [autofs] [ssh] [pac] [ifp] [secrets]
- To connect to the OPENLDAP server over TLS, use this
configuration.
===========================/etc/sssd/sssd.conf============================= [domain/external_ldap] ldap_tls_reqcert = demand ldap_id_use_start_tls = True ldap_tls_cacert = /nz/caCert/ca_cert.pem ldap_schema = rfc2307 #ignore_group_members = auth_provider = ldap id_provider = ldap ldap_rfc2307_fallback_to_local_users = True ldap_referrals = False ldap_id_mapping = False override_homedir = /home/%u ldap_network_timeout = 3 ldap_opt_timeout = 60 cache_credentials = True ldap_user_search_base = dc=example,dc=com entry_cache_group_timeout = 0 entry_cache_user_timeout = 0 ldap_search_timeout = 30 entry_cache_timeout = 600 ldap_default_bind_dn = cn=oldap_user1,cn=Users,dc=example,dc=com ldap_uri = ldap://< OPENLDAP_SERVER_FQDN_OR_IP>:389 #debug_level = 10 case_sensitive = False ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAQAEPSvINy7WB7Y5ULLHAgp9PNt9Ivdd5KZlp7DDzN7a+5wpRrq8dBoA4RonugOBXhxMA44TglOom7u4cqMBpFeoAAAQID [sssd] services = nss, ifp, sudo, ssh, pam domains = external_ldap [nss] memcache_timeout = 600 homedir_substring = /home [pam] #debug_level = 10 [sudo] [autofs] [ssh] [pac] [ifp] [secrets]
Note: 1. For the ldap_tls_cacert attribute of sssd.conf, mention the CA certificate file name with the correct directory location.2. The OPENLDAP server that is mentioned in the SET AUTHENTICATION command must match with the hostname in the LDAP server certificate file.
- To connect to the OPENLDAP server over SSL, use this
configuration.
- As the
root
user, restart thesssd
service:systemctl restart sssd
- Run the
command.
- Set authentication to OPENLDAP with the SSL OFF
For Netezza Performance Server 11.1.0.2 and higher
- Add the OPENLDAP user to Netezza Performance Server.
Define the password according to your password policy.create user <user> password <password>
Example:create user <user> password <password>
- Set the authentication type.
- Set authentication to OPENLDAP with the SSL/TLS OFF
- Run the
command.
cn is thenzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'OFF' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com'; "
Common Name
.dc is the
Domain component
. - Now the
sssd.conf
file looks as the following example.[domain/external_ldap] ###The below common parameters and values should not be changed ldap_default_authtok_type = obfuscated_password ldap_schema = rfc2307 #ldap_group_name = #ldap_user_name = ignore_group_members = False auth_provider = ldap ldap_rfc2307_fallback_to_local_users = True ldap_referrals = False override_homedir = /home/%u ldap_network_timeout = 3 ldap_opt_timeout = 60 cache_credentials = True entry_cache_group_timeout = 0 entry_cache_user_timeout = 0 ldap_search_timeout = 30 id_provider = ldap entry_cache_timeout = 600 case_sensitive = False ldap_id_mapping = False #ldap_group_attribute = #debug_level = 10 ###Supplied from Input ldap_uri = ldap://OPENLDAP_SERVER_FQDN_OR_IP:389 ldap_user_search_base = dc=example,dc=com ldap_default_bind_dn = cn=oldap_admin_user1,cn=Users,dc=example,dc=com ldap_tls_reqcert = never #ldap_id_use_start_tls = #ldap_tls_cacert = ldap_default_authtok = AAAQAHyh0uE+spiukG6zQ89FjCZdgIqHaYvqz5ToDPwbIxy2/whEzpa0+OTycf5q4Ivni+cHJ1EMkRarmGo9Wwna5voAAQID [sssd] services = nss, ifp, sudo, ssh, pam domains = external_ldap [nss] memcache_timeout = 600 homedir_substring = /home [pam] #debug_level = 10 [sudo] [autofs] [ssh] [pac] [ifp] [secrets]
- Run the
command.
- Set authentication to OPENLDAP with the SSL ON
A certificate must be issued to the OPENLDAP server by a trusted CA. Obtain the CA certificate file and save it on a location on the Netezza Performance Server system. For the Netezza Performance Server high availability (HA) systems, save the file in a location on the shared drive, such as a new directory under /nz. Both Netezza Performance Server nodes must be able to access the certificate file by using the same path name. Typically, the CA certificate has the
.pem
extension.- Run the
command.
nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'ON' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com' CACERT '/nz/caCert/ca_cert.pem'; "
- Run the
command.
- Set authentication to OPENLDAP with the SSL/TLS OFF