SET AUTHENTICATION

Use the SET AUTHENTICATION command to specify how the system authenticates users who connect to the database.

Authentication verifies that the database user enters a correct and known username-password combination when they log on to the system. To access a database, the user must also be defined by a CREATE USER statement, and must have access rights to a particular database.

The Netezza Performance Server system supports local, LDAP, and Kerberos authentication methods. Local authentication is when the Netezza Performance Server database validates the user accounts and passwords. LDAP and Kerberos authentication use trusted third-party services to perform the database user authentication within your environment. For more information about configuring and using these authentication methods, see the IBM Netezza® System Administrator’s Guide.

The SET AUTHENTICATION command runs as follows.

When you change the authentication from LOCAL to LDAP, the system takes the following actions:
- Creates a Pluggable Authentication Module (PAM) file for the new authentication settings, /etc/pam.d/netezza_nps.
- Modifies the /nz/data/pg_hba.conf file, changing the authorization to LDAP. (The pg_hba.conf file controls client authentication.)
- Copies the /etc/ldap.conf file to /nz/data/config/ldap.conf.orig and then updates the /etc/ldap.conf file for the changes in the command.
When you change the authentication from LOCAL to Kerberos, the system takes the following actions:
- Reads the /nz/data/config/krb5.conf file to obtain the Kerberos configuration. If you did not create a krb5.conf file, you can specify the configuration values in the SET AUTHENTICATION command.
When you change the authentication from LDAP to LOCAL, the system takes the following actions:
- Changes the LDAP configuration files by copying ldap.conf.orig to ldap.conf.
- Deletes the PAM file /etc/pam.d/netezza_nps.
- Modifies the file /nz/data/pg_hba.conf, changing the authorization to MD5 (the default).
When the authentication type is LDAP, you can issue more or subsequent SET AUTHENTICATION LDAP commands to update the LDAP configuration parameters. The system changes the LDAP configuration file by using the options that you specify in the command. The command does not retain settings from any previous SET AUTHENTICATION commands; you must specify the command and all of the options that you need when you issue the command.

The system updates the catalog to record the authentication configuration that you chose. The system stores the parameters that you enter in the _t_systemdef system table. The _t_systemdef system table stores data by using a tag and value scheme. The system stores each option that you define with the SET AUTHENTICATION command in a separate row in the table by using a predefined tag and the option value. Rows for LDAP authentication follow.

   Tag 'AUTHENTICATION METHOD' value 'LDAP'
Tag 'AUTHMTHD LDAP BASE' value <whatever value entered for
base-string>
Tag 'AUTHMTHD LDAP SERVER' value <server>
Tag 'AUTHMTHD LDAP VERSION' value <version-number>
Tag 'AUTHMTHD LDAP BINDDN' value <bind-string, if entered, or NONE>
Tag 'AUTHMTHD LDAP BINDPW' value <bind-password, if entered, or
NONE>
Tag 'AUTHMTHD LDAP PORT' value <port>
Tag 'AUTHMTHD LDAP SCOPE' value <value entered — SUB, ONE, or BASE>
Tag 'AUTHMTHD LDAP SSL' value (value entered — ON or OFF>
Tag 'AUTHMTHD LDAP ATTRNAME' value (attrname-string)
Tag 'AUTHMTHD LDAP NAMECASE' value (value entered — LOWERCASE or
UPPERCASE)

If you specify LOCAL authentication, the table contains only one row which includes the tag AUTHENTICATION METHOD and the value local. The following example shows a _t_systemdef table for an LDAP configuration.

The system records authentication changes in the pg.log file. All SET AUTHENTICATION and SHOW AUTHENTICATION commands are written to the pg.log file. If you use the BINDPW option, passwords are masked-out in the pg.log file.

Syntax

Syntax for setting authentication.

SET AUTHENTICATION { LOCAL | LDAP [(<ldap-config>)] | 
KERBEROS [(<kerberos-config>)] }

Where <ldap-config> represents:

BASE <base-string> SERVER <server> 
[ VERSION <version-number> ]
[ BINDDN { bind-string | NONE } ]
[ BINDPW { bind-password | NONE } ]
[ PORT <port> ]
[ SCOPE { SUB | ONE | BASE } ]
[ SSL { ON | OFF } ]
[ ATTRNAME <attrname-string>]
[ NAMECASE { LOWERCASE | UPPERCASE }]

Where <kerberos-config> represents:

[ REALM realm_string ]
[ KDC server ]
[ USERCASE { KEEP | MATCHDB } ]

LOCAL Inputs

For local authentication, the SET AUTHENTICATION command has the following input value.

Table 1. SET AUTHENTICATION LOCAL input
Input	Description
LOCAL	Netezza Performance Server uses local authentication. When a user connects to the Netezza Performance Server system, the system uses the user name and password that is defined by the CREATE USER command to authenticate. This authentication mode is also compatible with releases before release 4.5.

LDAP Inputs

The SET AUTHENTICATION command takes the following inputs for LDAP authentication:

Table 2. SET AUTHENTICATION LDAP inputs
Input	Description
attrname-string	The field defined in the LDAP server that contains the user name. For Microsoft Active Directory this is typically 'sAMAccountname', 'uid' for IBM® Tivoli® Directory Server, and 'cn' for OpenLDAP servers. The default is 'cn'.
base-string	The Distinguished Name (DN) within the LDAP namespace where user name searches start. For example: `dc=example,dc=org`
bind-password	The password that accompanies the <bind-string> for binding to the LDAP server.
bind-string	The Distinguished Name to use when binding to the LDAP server. A bind string is optional. This clause is typically not defined for conducting anonymous LDAP look-ups.
LDAP	Netezza Performance Server uses an LDAP server for authentication.
LOWERCASE \| UPPERCASE	Indicates whether the LDAP server stores the user name in lowercase or uppercase.
SSL	Default is OFF. If ON, SSL is used when it contacts the LDAP server. When you specify LDAP as the authentication type, you must specify the SSL option.
port	The port number to use when it connects to the LDAP server. The default is 389.
scope	The scope to use when it searches the LDAP tree.
server	The name or IP address of the LDAP server.
version-number	The LDAP protocol version number to use. The default is 3.

KERBEROS Inputs

The SET AUTHENTICATION command takes the following inputs for Kerberos authentication:

Table 3. SET AUTHENTICATION KERBEROS inputs
Input	Description
<realm-name>	The authentication administrative domain. The name of a realm is case sensitive, but normally realms always appear in upper case letters. It is also good practice, in an organization, to make the realm name the same as the DNS domain (in upper case letters though). Example: SOMEBOX.MYDOMAIN.COM
<Kerberos-KDC>	The name or address of a host running a Kerberos Key Distribution Center (KDC) for that realm. You can include an optional port number separated from the hostname by a colon. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. Example: myservr.mydomain.com:88.
KEEP \| MATCHDB	Indicates whether the letters of the user name as stored at the KDC should be left as-is (KEEP), or transformed to match the system case of the Netezza Performance Server database (MATCHDB). The Kerberos KDC stores names in a case-sensitive format. The Netezza Performance Server database user names are stored in the Performance Server database system case (the default is uppercase) unless the database name is specified as a delimited identifier. When you configure the Kerberos authentication, you can specify KEEP to use the Kerberos names as-in (no case conversion) for the Netezza Performance Server connection request. Specify MATCHDB to convert the Kerberos name to the Netezza Performance Server system case for the Netezza Performance Server connection request. The default is MATCHDB.

Outputs

The SET AUTHENTICATION command has the following outputs:

Table 4. SET AUTHENTICATION outputs
Output	Description
`SET AUTHENTICATION`	The command was successful.
`ERROR: permission denied`	You do not have the necessary privileges.
`ERROR: krb5.conf not found at /nz/data.1.0/config/krb5.conf. Either add the file there or specify a realm and KDC.`	You issued a SET AUTHENTICATION KERBEROS command but did not have a krb5.conf file already available with your environment settings, or you did not specify the required <kerberos-config> settings to create the file.

Privileges

You must be an administrator, or you must have the Manage System privilege, to issue this command.

Usage

The following is a sample command for a Kerberos authentication:

SET AUTHENTICATION KERBEROS REALM 'SOMEBOX.MYDOMAIN.COM' 
kdc 'myservr.mydomain.com:88' usercase 'matchdb';
NOTICE:  Updating /nz/data.1.0/config/krb5.conf and other files.
NOTICE:  Re-log-in or open a new shell for changes to take effect.
SET VARIABLE

The following is a sample command for an IBM Tivoli Directory Server connection:

SET AUTHENTICATION ldap base 'dc=netezza,dc=com' server
'ldapserver.netezza.com' port '389' version '3' binddn 'ldapreader'
scope 'base' ssl 'off' attrname 'uid' namecase 'lowercase';
SET VARIABLE

The following is a sample command for an OpenLDAP connection:

SET AUTHENTICATION ldap base 'dc=netezza,dc=com' server
'ldapserver.netezza.com' port '389' version '3' binddn 'ldapreader'
scope 'base' ssl 'off' attrname 'cn' namecase 'lowercase';
SET VARIABLE

The following is a sample command for a Microsoft Active Directory connection:

SET AUTHENTICATION ldap base 'dc=netezza,dc=com' server
'ldapserver.netezza.com' port '389' version '3' binddn 'ldapreader'
scope 'base' ssl 'off' attrname 'sAMAccountName' namecase 'lowercase';
SET VARIABLE