Managing users from external LDAP for Netezza Performance Server 11.1.0.0 and later

Learn how to manage users from external LDAP for Netezza Performance Server 11.1.0.0 and later.

Before you begin

To work with LDAP by using sssd, you must have unique integer gidNumber and uidNumebr assigned to your users on the LDAP server. Fore more information, see Is it possible to use SSSD only for authentication and not for id lookups?

Procedure

  1. Log in to Cloud Pak for Data System.
  2. Log in to Netezza Performance Server.
    • For Cloud Pak for Data System 1.X:
      docker exec -it <ips hostname> bash
    • For Cloud Pak for Data System 2.X:
      oc login exec -it <nps host pod> -n <namespace> -- bash
  3. Switch users to the nz user.
    su - nz
  4. Verify the authentication:
    nzsql -c "show authentication all"
    Example:
    [nz@node0201 ~]$ nzsql -c "show authentication all"
    AUTH_OPTION            | AUTH_VALUE
    -----------------------+------------
    AUTHENTICATION METHOD  | LOCAL
    (1 row)
  5. Depending on the LDAP server that you use, follow the steps.
    • Open LDAP
      1. If the LDAP users are not in the database, add them and grant required permissions to the users.
        create user <user> password <password>

        Define the password according to your password policy.

        Example:
        nzsql -c “create user test_ldap password 'password';“
      2. Set the authentication type to LDAP with SSL off.
        SET AUTHENTICATION LDAP
        Example:
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=somedomain,dc=com' NAMECASE lowercase SERVER 
        '<ldap_server>' SSL 'off' BINDDN 'cn=admin,dc=somedomain,dc=com' BINDPW adminpass;"
        CN
        Common Name.
        DC
        Domain Component.
        BINDDN
        Distinguished Name.
        BINDPW
        Password associated with the Distinguished Name.
        Note: Skip BINDDN 'cn=admin,dc=somedomain,dc=com' if the bind password is not set on the LDAP server. In this case, the command example is:
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=somedomain,dc=com' NAMECASE lowercase SERVER '<ldap_server>' SSL 'off'
      3. Verify the authentication type.
        nzsql -c "show authentication all;"
        Examples:
        • [nz@node0201 ~]$ nzsql -c "show authentication all;"
                AUTH_OPTION       |          AUTH_VALUE
          ------------------------+-------------------------------
           AUTHENTICATION METHOD  | LDAP
           AUTHMTHD LDAP BASE     | dc=somedomain,dc=com
           AUTHMTHD LDAP BINDDN   | cn=admin,dc=somedomain,dc=com
           AUTHMTHD LDAP NAMECASE | LOWERCASE
           AUTHMTHD LDAP SERVER   | <LDAP server IP>
           AUTHMTHD LDAP SSL      | off
          (6 rows)
          
        • If BINDPW isn't used in the SET AUTHETNICATION command:
          [nz@node0201 ~]$ nzsql -c "show authentication all;"
                AUTH_OPTION       |          AUTH_VALUE
          ------------------------+-------------------------------
           AUTHENTICATION METHOD  | LDAP
           AUTHMTHD LDAP BASE     | dc=somedomain,dc=com
           AUTHMTHD LDAP NAMECASE | LOWERCASE
           AUTHMTHD LDAP SERVER   | <LDAP server IP>
           AUTHMTHD LDAP SSL      | off
          (5 rows)
          
        that /etc/ldap.conf is deprecated on Netezza Performance Server. You must use /etc/sssd/sssd.conf to set up the LDAP configuration.
        ===========================/etc/sssd/sssd.conf==================================
        
        [domain/external_ldap]
        
        ###The below common parameters and values should not be changed
        
        ldap_default_authtok_type = obfuscated_password
        ldap_schema = rfc2307
        #ldap_group_name =
        #ldap_user_name =
        ignore_group_members = False
        auth_provider = ldap
        ldap_rfc2307_fallback_to_local_users = True
        ldap_referrals = False
        override_homedir = /home/%u
        ldap_network_timeout = 3
        ldap_opt_timeout = 60
        cache_credentials = True
        entry_cache_group_timeout = 0
        entry_cache_user_timeout = 0
        ldap_search_timeout = 30
        id_provider = ldap
        entry_cache_timeout = 600
        case_sensitive = False
        ldap_id_mapping = False
        #ldap_group_attribute =
        #debug_level = 10
        
        ###Supplied from Input
        ldap_uri = ldap://<LDAP Server>:389
        ldap_user_search_base = dc=somedomain,dc=com
        ldap_default_bind_dn = cn=admin,dc=somedomain,dc=com
        ldap_tls_reqcert = never
        #ldap_id_use_start_tls =
        #ldap_tls_cacert =
        
        ldap_default_authtok = AAAQAGjPMpPlaKyKfPLvmpE1FSolHcAHS/0KoEaJ7k8yPZaphWL2hLYyjKBXO4C9aAgAIGKgBWONT+5nOITCVv6tTlwAAQID
        
        [sssd]
        services = nss, ifp, sudo, ssh, pam
        domains = external_ldap
        
        [nss]
        memcache_timeout = 600
        homedir_substring = /home
        
        [pam]
        #debug_level = 10
        
        [sudo]
        [autofs]
        [ssh]
        [pac]
        [ifp]
        [secrets]
        [session_recording]
    • Windows Active Directory
      1. If the AD users are not in the database, add them and grant required permissions to the users.
        create user <user> password <password>
        Define the password according to your password policy.
        Example:
        nzsql -c "create user ad_user1 password 'password';"
      2. Set the authentication type to LDAP with SSL off.
        SET AUTHENTICATION LDAP
        Example:
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=nzdevelopment,dc=com' NAMECASE lowercase SERVER '<ad-server>' SSL 'off' BINDPW Netezza26 BINDDN 'cn=ad_user1,cn=Users,dc=nzdevelopment,dc=com' ATTRNAME 'sAMAccountName'; "
        Note: For Windows AD authentication, the ATTRNAME value must be set to sAMAccountName.
      3. The /etc/sssd/sssd.conf file looks as the following example.
        ===========================/etc/sssd/sssd.conf==================================
        [domain/external_ldap]
        
        ###The below common parameters and values should not be changed
        
        ldap_default_authtok_type = obfuscated_password
        ldap_schema = AD
        ldap_group_name = CN
        ldap_user_name = sAMAccountName
        ignore_group_members = True
        auth_provider = ldap
        ldap_rfc2307_fallback_to_local_users = True
        ldap_referrals = False
        override_homedir = /home/%u
        ldap_network_timeout = 3
        ldap_opt_timeout = 60
        cache_credentials = True
        entry_cache_group_timeout = 0
        entry_cache_user_timeout = 0
        ldap_search_timeout = 30
        id_provider = ldap
        entry_cache_timeout = 600
        case_sensitive = False
        ldap_id_mapping = True
        #ldap_group_attribute =
        #debug_level = 10
        
        ###Supplied from Input
        
        ldap_uri = ldap://<AD-SERVER>:389
        ldap_user_search_base = dc=nzdevelopment,dc=com
        ldap_default_bind_dn = cn=ad_user1,cn=Users,dc=nzdevelopment,dc=com
        ldap_tls_reqcert = never
        #ldap_id_use_start_tls =
        #ldap_tls_cacert =
        
        ldap_default_authtok = AAAQACiPQqSPP0Y00vYePwimehITknlkR3s+FmeIPuKsDvzZX/eULs8pA5exDJNoqtczO6pvDA7Px3+NgFuG1GmWvuMAAQID
        
        [sssd]
        services = nss, ifp, sudo, ssh, pam
        domains = external_ldap
        
        [nss]
        memcache_timeout = 600
        homedir_substring = /home
        
        [pam]
        #debug_level = 10
        
        [sudo]
        [autofs]
        [ssh]
        [pac]
        [ifp]
        [secrets]
  6. Verify the LDAP/AD user authentication setup.
    1. Log in as the nz user.
      su – nz
    2. Run the command.
      nzsql -u <LDAP/AD user> -pw <LDAP/AD user password>
      Note: LDAP/AD user password is the password that is defined on the LDAP server for the LDAP user.
      Example:
      [nz@node0201 ~]$ nzsql -db system -u test_ldap -pw netezzaips
      Welcome to nzsql, the IBM Netezza SQL interactive terminal.
      
      Type:  \h for help with SQL commands
             \? for help on internal slash commands
             \g or terminate with semicolon to execute query
             \q to quit
      
      SYSTEM.ADMIN(TEST_LDAP)=> show authentication all;
            AUTH_OPTION       |          AUTH_VALUE
      ------------------------+-------------------------------
       AUTHENTICATION METHOD  | LDAP
       AUTHMTHD LDAP BASE     | dc=somedomain,dc=com
       AUTHMTHD LDAP BINDDN   | cn=admin,dc=somedomain,dc=com
       AUTHMTHD LDAP NAMECASE | LOWERCASE
       AUTHMTHD LDAP SERVER   | <ldap_server>
       AUTHMTHD LDAP SSL      | off
      (6 rows) (6 rows)
      
      [nz@node0201 ~]$