Managing users from external LDAP on Netezza Performance Server - deprecated
This procedure is deprecated. It only applies if your NPS system is on version 11.0.2.0 or earlier.
For 11.0.3.0 and later versions, see Managing users from external LDAP on Netezza Performance Server 11.0.3.1 or later.
If you want the users from external LDAP to access the Netezza Performance Server database, you need to add them manually and configure authentication.
Before you begin
- The administrator must ensure that each NPS user is also defined within the NPS system catalog. The NPS user names must match the user names that are defined in the LDAP/AD server.
- Make sure there is a communication between NPS host and the LDAP/AD server. For
this append the line below in
/etc/hosts
on the NPS host with root user, for example:cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <LDAP Server IP> <LDAP FQDN> <LDAP Server short name>
You can cross check connection using ping <LDAP/AD server> or ssh <LDAP/AD server> .
- Collect the following information from an LDAP administrator:
Name Required Default value Description LDAP server Yes Host on which LDAP is working base Yes Node of the LDAP tree in which LDAP users will be searched (i.e. OU=ForNetezza,DC=KSL,DC=lab) port Yes Port on which LDAP server is listening (default 389 for non-SSL) BINDDN No Full name of user which will have access to base sub-tree on LDAP server. Must be specified if anonymous access to LDAP server is not allowed (i.e. "cn=netezza_user,cn=Users,dc=KSL,dc=lab") BINDPW No Password for BINDDN user ATTRNAME No “cn” LDAP attribute which will be used to define userid. Commonly used is 'sAMAccountName' (unique account name, like jkowalski) - Verify server name and port on which LDAP is running. To verify if port is not blocked by
firewall you can run the following
command:
Example command: ldapsearch -v -h <ldap_server> -p 389 -D "cn=admin,dc=somedomain,dc=com" -x -w adminpasstelnet <host_name> <port> ldapsearch -v -h <ldap_server> -b <base> -D <binddn> -p <port> -x -w <bindpw>
Steps to perform on the LDAP server
The following procedure adds an exemplary test_ldap
user on the LDAP
server. These steps are required only if LDAP users are not already present and you want to create a
new one.
Procedure
Changes in pam.d files
pam.sss.so
service on
client system.
Procedure
pam.sss.so
service: - /etc/pam.d/system-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow remember=5 try_first_pass use_authtok password sufficient pam_sss.so sha512 remember=5 use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
- /etc/pam.d/password-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow remember=5 try_first_pass use_authtok password sufficient pam_sss.so sha512 remember=5 use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
- /etc/pam.d/smartcard-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
- /etc/pam.d/
fingerprint-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
- /etc/nsswitch.conf
passwd: files sss ldap shadow: files sss ldap group: files sss ldap hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss ldap publickey: nisplus automount: files sss ldap aliases: files nisplus
Steps to perform on Netezza Performance Server
With these steps, you can check for current authentication.
Procedure
Troubleshooting
ERROR: pam_authenticate failed: User not known to the underlying authentication moduleperform the following workaround steps on NPS host with root user:
- echo -n <bindpassword> |sss_obfuscate --domain=external_ldap -s
- systemctl restart sssd
nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=nzdevelopment,dc=com' SERVER '<LDAP/AD Server>' SSL 'off' BINDPW Ipspass26BINDDN 'cn=ad_user1,cn=Users,dc=nzdevelopment,dc=com'; "