Managing users from external LDAP for Netezza Performance Server 11.1.0.0 and later
Learn how to manage users from external LDAP for Netezza Performance Server 11.1.0.0 and later.
Before you begin
sssd
, you must have unique integer
gidNumber
and uidNumebr
assigned to your users on the LDAP
server. Fore more information, see Is it possible to use SSSD only for authentication and not for id
lookups?Procedure
- Log in to Cloud Pak for Data System.
- Log in to Netezza Performance Server.
- For Cloud Pak for Data System
1.X:
docker exec -it <ips hostname> bash
- For Cloud Pak for Data System
2.X:
oc login exec -it <nps host pod> -n <namespace> -- bash
- For Cloud Pak for Data System
1.X:
- Switch users to the
nz
user.su - nz
- Verify the
authentication:
Example:nzsql -c "show authentication all"
[nz@node0201 ~]$ nzsql -c "show authentication all" AUTH_OPTION | AUTH_VALUE -----------------------+------------ AUTHENTICATION METHOD | LOCAL (1 row)
- Depending on the LDAP server that you use, follow the steps.
- Open LDAP
-
If the LDAP users are not in the database, add them and grant required permissions to the users.
create user <user> password <password>
Define the password according to your password policy.
Example:nzsql -c “create user test_ldap password 'password';“
-
Set the authentication type to LDAP with SSL off.
SET AUTHENTICATION LDAP
Example:nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=somedomain,dc=com' NAMECASE lowercase SERVER '<ldap_server>' SSL 'off' BINDDN 'cn=admin,dc=somedomain,dc=com' BINDPW adminpass;"
- CN
- Common Name.
- DC
- Domain Component.
- BINDDN
- Distinguished Name.
- BINDPW
- Password associated with the Distinguished Name.
Note: Skip BINDDN 'cn=admin,dc=somedomain,dc=com' if the bind password is not set on the LDAP server. In this case, the command example is:nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=somedomain,dc=com' NAMECASE lowercase SERVER '<ldap_server>' SSL 'off'
- Verify the authentication type.
Examples:nzsql -c "show authentication all;"
-
[nz@node0201 ~]$ nzsql -c "show authentication all;" AUTH_OPTION | AUTH_VALUE ------------------------+------------------------------- AUTHENTICATION METHOD | LDAP AUTHMTHD LDAP BASE | dc=somedomain,dc=com AUTHMTHD LDAP BINDDN | cn=admin,dc=somedomain,dc=com AUTHMTHD LDAP NAMECASE | LOWERCASE AUTHMTHD LDAP SERVER | <LDAP server IP> AUTHMTHD LDAP SSL | off (6 rows)
- If BINDPW isn't used in the SET AUTHETNICATION
command:
[nz@node0201 ~]$ nzsql -c "show authentication all;" AUTH_OPTION | AUTH_VALUE ------------------------+------------------------------- AUTHENTICATION METHOD | LDAP AUTHMTHD LDAP BASE | dc=somedomain,dc=com AUTHMTHD LDAP NAMECASE | LOWERCASE AUTHMTHD LDAP SERVER | <LDAP server IP> AUTHMTHD LDAP SSL | off (5 rows)
===========================/etc/sssd/sssd.conf================================== [domain/external_ldap] ###The below common parameters and values should not be changed ldap_default_authtok_type = obfuscated_password ldap_schema = rfc2307 #ldap_group_name = #ldap_user_name = ignore_group_members = False auth_provider = ldap ldap_rfc2307_fallback_to_local_users = True ldap_referrals = False override_homedir = /home/%u ldap_network_timeout = 3 ldap_opt_timeout = 60 cache_credentials = True entry_cache_group_timeout = 0 entry_cache_user_timeout = 0 ldap_search_timeout = 30 id_provider = ldap entry_cache_timeout = 600 case_sensitive = False ldap_id_mapping = False #ldap_group_attribute = #debug_level = 10 ###Supplied from Input ldap_uri = ldap://<LDAP Server>:389 ldap_user_search_base = dc=somedomain,dc=com ldap_default_bind_dn = cn=admin,dc=somedomain,dc=com ldap_tls_reqcert = never #ldap_id_use_start_tls = #ldap_tls_cacert = ldap_default_authtok = AAAQAGjPMpPlaKyKfPLvmpE1FSolHcAHS/0KoEaJ7k8yPZaphWL2hLYyjKBXO4C9aAgAIGKgBWONT+5nOITCVv6tTlwAAQID [sssd] services = nss, ifp, sudo, ssh, pam domains = external_ldap [nss] memcache_timeout = 600 homedir_substring = /home [pam] #debug_level = 10 [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording]
-
-
- Windows Active Directory
- If the AD users are not in the database, add them and grant required permissions to the
users.
Define the password according to your password policy.create user <user> password <password>
Example:nzsql -c "create user ad_user1 password 'password';"
- Set the authentication type to LDAP with SSL off.
Example:SET AUTHENTICATION LDAP
nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=nzdevelopment,dc=com' NAMECASE lowercase SERVER '<ad-server>' SSL 'off' BINDPW Netezza26 BINDDN 'cn=ad_user1,cn=Users,dc=nzdevelopment,dc=com' ATTRNAME 'sAMAccountName'; "
Note: For Windows AD authentication, the ATTRNAME value must be set to sAMAccountName. - The /etc/sssd/sssd.conf file looks as the following
example.
===========================/etc/sssd/sssd.conf================================== [domain/external_ldap] ###The below common parameters and values should not be changed ldap_default_authtok_type = obfuscated_password ldap_schema = AD ldap_group_name = CN ldap_user_name = sAMAccountName ignore_group_members = True auth_provider = ldap ldap_rfc2307_fallback_to_local_users = True ldap_referrals = False override_homedir = /home/%u ldap_network_timeout = 3 ldap_opt_timeout = 60 cache_credentials = True entry_cache_group_timeout = 0 entry_cache_user_timeout = 0 ldap_search_timeout = 30 id_provider = ldap entry_cache_timeout = 600 case_sensitive = False ldap_id_mapping = True #ldap_group_attribute = #debug_level = 10 ###Supplied from Input ldap_uri = ldap://<AD-SERVER>:389 ldap_user_search_base = dc=nzdevelopment,dc=com ldap_default_bind_dn = cn=ad_user1,cn=Users,dc=nzdevelopment,dc=com ldap_tls_reqcert = never #ldap_id_use_start_tls = #ldap_tls_cacert = ldap_default_authtok = AAAQACiPQqSPP0Y00vYePwimehITknlkR3s+FmeIPuKsDvzZX/eULs8pA5exDJNoqtczO6pvDA7Px3+NgFuG1GmWvuMAAQID [sssd] services = nss, ifp, sudo, ssh, pam domains = external_ldap [nss] memcache_timeout = 600 homedir_substring = /home [pam] #debug_level = 10 [sudo] [autofs] [ssh] [pac] [ifp] [secrets]
- If the AD users are not in the database, add them and grant required permissions to the
users.
- Open LDAP
- Verify the LDAP/AD user authentication setup.
- Log in as the
nz
user.su – nz
- Run the
command.
nzsql -u <LDAP/AD user> -pw <LDAP/AD user password>
Note: LDAP/AD user password is the password that is defined on the LDAP server for the LDAP user.Example:[nz@node0201 ~]$ nzsql -db system -u test_ldap -pw netezzaips Welcome to nzsql, the IBM Netezza SQL interactive terminal. Type: \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit SYSTEM.ADMIN(TEST_LDAP)=> show authentication all; AUTH_OPTION | AUTH_VALUE ------------------------+------------------------------- AUTHENTICATION METHOD | LDAP AUTHMTHD LDAP BASE | dc=somedomain,dc=com AUTHMTHD LDAP BINDDN | cn=admin,dc=somedomain,dc=com AUTHMTHD LDAP NAMECASE | LOWERCASE AUTHMTHD LDAP SERVER | <ldap_server> AUTHMTHD LDAP SSL | off (6 rows) (6 rows) [nz@node0201 ~]$
- Log in as the