REGISTER EXTERNAL AUTHENTICATION SYSTEM

Use the REGISTER EXTERNAL AUTHENTICATION SYSTEM command to specify the authentication method.

Authentication verifies that the database user enters a correct and known username-password combination when they log on to the system. To access a database, the user must also be defined by a CREATE USER statement, and must have access rights to a particular database.

Netezza Performance Server offers the following authentication methods for database users:
  • Local authentication
  • LDAP authentication
  • Azure Active Directory (Azure AD) authentication
  • IBM® IAM authentication
  • AWS IAM authentication

By default, local authentication and IBMIAM are enabled on the system. Two-factor authentication is supported only with AWSIAM and SAML external authentication systems.

Syntax

REGISTER EXTERNAL AUTHENTICATION SYSTEM { 'IBMIAM' with IBM IAM CONFIG |
                                                   'AzureAD' with AZURE AD CONFIG |
                                                   'LDAP' with LDAP CONFIG |
                                                   'AWSIAM' }
Where:
  • IBM IAM CONFIG represents:
    { PRODUCTION | STAGING | DEVELOPMENT }

    With PRODUCTION, STAGING, and DEVELOPMENT, you can specify the environment type.

  • AXURE AD CONFIG represents:
    clientid 'AZURE CLIENT ID' tenantid 'AZURE TENANT`
    Where:
    AZURE CLIENT ID
    Specifies the Azure client ID. For more information, see How to: Get an Azure Application ID.
    AZURE TENANT
    Specifies the Azure tenant. For more information, see How to find your Azure Active Directory tenant ID.
  • LDAP CONFIG represents:
    [ VERSION ]
[ BINDDN { bind-string | NONE } ]
[ BINDPW { bind-password | NONE } ]
[ PORT ]
[ SCOPE { SUB | ONE | BASE } ]
[ SSL { ON | OFF } ]
[ ATTRNAME ]
[ NAMECASE { LOWERCASE | UPPERCASE }]
    Where:
    VERSION
    The LDAP protocol version number to use. The default is 3.
    BINDDN
    The Distinguished Name to use when binding to the LDAP server. A bind string is optional. This clause is typically not defined for conducting anonymous LDAP look-ups.
    BINDPW
    The password that accompanies the BINDDN for binding to the LDAP server.
    PORT
    The port number to use when it connects to the LDAP server. The default is 389.
    SCOPE
    The scope to use when it searches the LDAP tree.
    SSL
    Default is OFF. If ON, SSL is used when it contacts the LDAP server. When you specify LDAP as the authentication type, you must specify the SSL option.
    ATTRNAME
    The field defined in the LDAP server that contains the username. For Microsoft Active Directory, this is typically 'sAMAccountname', 'uid' for IBM® Tivoli® Directory Server, and 'cn' for OpenLDAP servers. The default is 'cn'.
    NAMECASE
    Indicates whether the LDAP server stores the username in lowercase or uppercase.

Examples