LDAP Authentication by using OPENLDAP

Learn how to configure SSL or TLS for LDAP authentication by using OPENLDAP.

For Netezza Performance Server 11.1.0.1 and lower

  1. Add the OPENLDAP users to Netezza Performance Server.
    create user <user> password <password>
    Define the password according to your password policy.
    Example:
    nzsql -c "create user oldap_user1 password 'password';"
  2. Set the authentication type.
    SET AUTHENTICATION LDAP
    • Set authentication to OPENLDAP with the SSL OFF
      1. Run the command.
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'OFF' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com'; "
        Where cn refers to the Common Name and dc to the Domain component.
      2. As the root user, update the /etc/sssd/sssd.conf file on the Netezza Performance Server host.
        You might have to manually change the lines in bold if they are not already set.
        [domain/external_ldap]
        
        ldap_tls_reqcert = never
        ldap_id_use_start_tls = False
        ldap_schema = rfc2307
        #ignore_group_members = 
        auth_provider = ldap
        id_provider = ldap
        ldap_rfc2307_fallback_to_local_users = True
        ldap_referrals = False
        ldap_id_mapping = False
        override_homedir = /home/%u
        ldap_network_timeout = 3
        ldap_opt_timeout = 60
        cache_credentials = True
        ldap_user_search_base = dc=example,dc=com
        entry_cache_group_timeout = 0
        entry_cache_user_timeout = 0
        ldap_search_timeout = 30
        entry_cache_timeout = 600
        ldap_default_bind_dn = cn=oldap_user1,cn=Users,dc=example,dc=com
        ldap_uri = ldap://<OPENLDAP_SERVER_FQDN_OR_IP>:389
        #debug_level = 10
        case_sensitive = False
        
        ldap_default_authtok_type = obfuscated_password
        ldap_default_authtok = AAAQANEC2d5xigH0d4w9phf5F9zD4PvXWvxwz61LYsoQq5BM/M7WslokdqbS6CnOyTzGp4XmzCC7owRfYq8sALPYypoAAQID
        [sssd]
        services = nss, ifp, sudo, ssh, pam
        domains = external_ldap
        
        [nss]
        memcache_timeout = 600
        homedir_substring = /home
        
        [pam]
        #debug_level = 10
        
        [sudo]
        [autofs]
        [ssh]
        [pac]
        [ifp]
        
      3. As the root user, restart the sssd service.
        systemctl restart sssd
    • Set authentication to OPENLDAP with the SSL ON
      A certificate is issued to the OPENLDAP server by a trusted CA. Obtain the CA certificate file and save it on a location on the Netezza Performance Server system. For the Netezza Performance Server high availability (HA) systems, save the file in a location on the shared drive, such as a new directory under /nz. Both of the Netezza Performance Server nodes must be able to access the certificate file by using the same path name. Typically, the CA certificate has the pem. extension.
      1. Run the command.
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'ON' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com'; "
      2. As the root user, update the /etc/sssd/sssd.conf file on the Netezza Performance Server host manually.

        You might have to manually change the lines in bold if they are not already set.

        1. To connect to the OPENLDAP server over SSL, use this configuration.
                        ===========================/etc/sssd/sssd.conf=============================
          [domain/external_ldap]
          
          ldap_tls_reqcert = demand
          ldap_id_use_start_tls = False
          ldap_tls_cacert = /nz/caCert/ca_cert.pem
          ldap_schema = rfc2307 
          #ignore_group_members = 
          auth_provider = ldap
          id_provider = ldap
          ldap_rfc2307_fallback_to_local_users = True
          ldap_referrals = False
          ldap_id_mapping = False
          override_homedir = /home/%u
          ldap_network_timeout = 3
          ldap_opt_timeout = 60
          cache_credentials = True
          ldap_user_search_base = dc=example,dc=com
          entry_cache_group_timeout = 0
          entry_cache_user_timeout = 0
          ldap_search_timeout = 30
          entry_cache_timeout = 600
          ldap_default_bind_dn = cn=oldap_user1,cn=Users,dc=example,dc=com
          ldap_uri = ldaps://< OPENLDAP_SERVER_FQDN_OR_IP >:636
          #debug_level = 10
          case_sensitive = False
          
          ldap_default_authtok_type = obfuscated_password
          ldap_default_authtok = AAAQAEPSvINy7WB7Y5ULLHAgp9PNt9Ivdd5KZlp7DDzN7a+5wpRrq8dBoA4RonugOBXhxMA44TglOom7u4cqMBpFeoAAAQID
          [sssd]
          services = nss, ifp, sudo, ssh, pam
          domains = external_ldap
          
          [nss]
          memcache_timeout = 600
          homedir_substring = /home
          
          [pam]
          #debug_level = 10
          
          [sudo]
          [autofs]
          [ssh]
          [pac]
          [ifp]
          [secrets]
          
        2. To connect to the OPENLDAP server over TLS, use this configuration.
          ===========================/etc/sssd/sssd.conf=============================
          [domain/external_ldap]
          
          ldap_tls_reqcert = demand
          ldap_id_use_start_tls = True
          ldap_tls_cacert = /nz/caCert/ca_cert.pem
          ldap_schema = rfc2307
          #ignore_group_members = 
          auth_provider = ldap
          id_provider = ldap
          ldap_rfc2307_fallback_to_local_users = True
          ldap_referrals = False
          ldap_id_mapping = False
          override_homedir = /home/%u
          ldap_network_timeout = 3
          ldap_opt_timeout = 60
          cache_credentials = True
          ldap_user_search_base = dc=example,dc=com
          entry_cache_group_timeout = 0
          entry_cache_user_timeout = 0
          ldap_search_timeout = 30
          entry_cache_timeout = 600
          ldap_default_bind_dn = cn=oldap_user1,cn=Users,dc=example,dc=com
          ldap_uri = ldap://< OPENLDAP_SERVER_FQDN_OR_IP>:389
          #debug_level = 10
          case_sensitive = False
          
          ldap_default_authtok_type = obfuscated_password
          ldap_default_authtok = AAAQAEPSvINy7WB7Y5ULLHAgp9PNt9Ivdd5KZlp7DDzN7a+5wpRrq8dBoA4RonugOBXhxMA44TglOom7u4cqMBpFeoAAAQID
          [sssd]
          services = nss, ifp, sudo, ssh, pam
          domains = external_ldap
          
          [nss]
          memcache_timeout = 600
          homedir_substring = /home
          
          [pam]
          #debug_level = 10
          
          [sudo]
          [autofs]
          [ssh]
          [pac]
          [ifp]
          [secrets]
          
        Note: 1. For the ldap_tls_cacert attribute of sssd.conf, mention the CA certificate file name with the correct directory location.

        2. The OPENLDAP server that is mentioned in the SET AUTHENTICATION command must match with the hostname in the LDAP server certificate file.

      3. As the root user, restart the sssd service:
        systemctl restart sssd

For Netezza Performance Server 11.1.0.2 and higher

  1. Add the OPENLDAP user to Netezza Performance Server.
    create user <user> password <password>
    Define the password according to your password policy.
    Example:
    create user <user> password <password>
  2. Set the authentication type.
    • Set authentication to OPENLDAP with the SSL/TLS OFF
      1. Run the command.
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'OFF' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com'; "
        cn is the Common Name.

        dc is the Domain component.

      2. Now the sssd.conf file looks as the following example.
        [domain/external_ldap]
        
        ###The below common parameters and values should not be changed
        
        ldap_default_authtok_type = obfuscated_password
        ldap_schema = rfc2307
        #ldap_group_name =
        #ldap_user_name =
        ignore_group_members = False
        auth_provider = ldap
        ldap_rfc2307_fallback_to_local_users = True
        ldap_referrals = False
        override_homedir = /home/%u
        ldap_network_timeout = 3
        ldap_opt_timeout = 60
        cache_credentials = True
        entry_cache_group_timeout = 0
        entry_cache_user_timeout = 0
        ldap_search_timeout = 30
        id_provider = ldap
        entry_cache_timeout = 600
        case_sensitive = False
        ldap_id_mapping = False
        #ldap_group_attribute =
        #debug_level = 10
        
        ###Supplied from Input
        
        ldap_uri = ldap://OPENLDAP_SERVER_FQDN_OR_IP:389
        ldap_user_search_base = dc=example,dc=com
        ldap_default_bind_dn = cn=oldap_admin_user1,cn=Users,dc=example,dc=com
        ldap_tls_reqcert = never
        #ldap_id_use_start_tls =
        #ldap_tls_cacert =
        
        ldap_default_authtok = AAAQAHyh0uE+spiukG6zQ89FjCZdgIqHaYvqz5ToDPwbIxy2/whEzpa0+OTycf5q4Ivni+cHJ1EMkRarmGo9Wwna5voAAQID
        [sssd]
        services = nss, ifp, sudo, ssh, pam
        domains = external_ldap
        
        [nss]
        memcache_timeout = 600
        homedir_substring = /home
        
        [pam]
        #debug_level = 10
        
        [sudo]
        [autofs]
        [ssh]
        [pac]
        [ifp]
        [secrets]
    • Set authentication to OPENLDAP with the SSL ON

      A certificate must be issued to the OPENLDAP server by a trusted CA. Obtain the CA certificate file and save it on a location on the Netezza Performance Server system. For the Netezza Performance Server high availability (HA) systems, save the file in a location on the shared drive, such as a new directory under /nz. Both Netezza Performance Server nodes must be able to access the certificate file by using the same path name. Typically, the CA certificate has the .pem extension.

      1. Run the command.
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=example,dc=com' NAMECASE lowercase SERVER 'OPENLDAP_SERVER_FQDN_OR_IP' SSL 'ON' BINDPW Netezzapwd BINDDN 'cn=oldap_admin_user1,cn=Users,dc=example,dc=com' CACERT '/nz/caCert/ca_cert.pem'; "