User authentication method
By default, when you create a database user, you specify a password for that account. The password is saved with the user account in the Netezza Performance Server database. When the user logs in to the database or runs a command and specifies the Netezza Performance Server user account and password, Netezza Performance Server verifies that password against the string that is stored in the Netezza Performance Server database. This method is called local authentication. The admin database user always uses local authentication.
Netezza Performance Server also supports the option to authenticate database users (except admin) by using one of the following trusted authentication sources:
- You can use LDAP authentication to authenticate database users, manage passwords, and manage account activations and deactivations. The Netezza Performance Server system then uses a Pluggable Authentication Module (PAM) to authenticate users on the LDAP name server. Microsoft Active Directory conforms to the LDAP protocol, so it can be treated like an LDAP server for the purposes of LDAP authentication.
- You can use Kerberos authentication to authenticate database users, manage passwords, and manage account activations and deactivations. The Netezza Performance Server system uses Kerberos configuration files to connect with the Kerberos key distribution center (KDC) to authenticate database users before they are allowed to connect to a database.
The Netezza Performance Server host supports LDAP or Kerberos authentication for database user logins only, not for operating system logins on the host. You cannot use both LDAP and Kerberos to authenticate database users on the Netezza Performance Server system.
If you use LDAP or Kerberos authentication, you do not have to specify a password for the database user accounts when you create them, but it is a good practice to specify one. If you switch to local authentication, a database user cannot connect to a database if their password is null.
Authentication is a system-wide setting, but if you choose LDAP or Kerberos authentication, you can create database users who are locally authenticated as exceptions.