LDAP authentication in ADB
ADB (as well as Greengage DB) supports Lightweight Directory Access Protocol (LDAP) user authentication. When LDAP authentication is used, user accounts and passwords are checked on the selected LDAP server. The steps for configuring LDAP authentication in ADB via ADCM are described below.
|
NOTE
You can configure LDAP authentication parameters via ADCM in ADB 6 starting with ADB 6.25.1.49. In this version, automatic synchronization of ADB users and groups with LDAP has also been implemented — via the pg-ldap-sync utility, which comes with the ADB bundle. In previous versions of ADB, LDAP authentication was possible, but you needed to manually perform the steps described below in the Synchronize ADB and LDAP section (the pg_hba.conf file upgrade and creation of roles in ADB).
|
Configure LDAP authentication
To configure LDAP authentication in ADB, follow the steps:
-
Ensure the target LDAP server is configured and available. ADB supports two LDAP implementations: Microsoft Active Directory (MS AD) and 389 Directory Server as a part of FreeIPA.
-
Open the configuration parameters of the ADB service in ADCM.
-
Switch on the UI LDAP authentication toggle.
-
Field Description Default value Example in MS AD Type
A type of the LDAP server. Possible values:
-
MSAD— Microsoft Active Directory -
FreeIPA— 389 Directory server as a part of FreeIPA
MSAD
MSAD
URI
A URI for connecting to the LDAP server in the following format:
<host>:<port>—
10.92.12.49:389
LDAP encryption
Encryption method to be used for LDAP connections:
-
ldaps— use LDAP over SSL/TLS (LDAPS) -
starttls— use the Start Transport Layer Security (StartTLS) operation -
none— do not use encrypted LDAP
none
—
Users baseDN
A limitation of the search scope of objects in the LDAP directory that is used in user search requests
—
ou=People,dc=ad,dc=ranger-test
Groups baseDN
A limitation of the search scope of objects in the LDAP directory that is used in group search requests
—
ou=Groups,dc=ad,dc=ranger-test
Users filter
An LDAP filter that is used to search users. Should be specified according to the RFC 2254
(&(|(objectClass=person)(objectClass=inetOrgPerson))(cn=*))
(&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
Groups filter
An LDAP filter that is used to search groups. Should be specified according to the RFC 2254
(&(|(objectClass=group)(objectClass=groupofnames)(objectClass=groupOfUniqueNames))(cn=*))
(cn=*)
SA Login
A user name that is used for service requests to the LDAP server
—
cn=admin,dc=ad,dc=ranger-test
Password
A user password that is used for service requests to the LDAP server
—
A password of the
adminuserLowercase login
Whether or not to convert user names to lowercase
false
false
Lowercase group
Whether or not to convert group names to lowercase
false
false
Sync interval
A
cronexpression that defines how often synchronization of ADB users and groups with an LDAP server should be performed. The pg-ldap-sync utility, which comes with the ADB bundle, is used for synchronization0 * * * *
0 * * * *
NOTEVarious LDAP implementations use different names for object types and identifiers. It is recommended to refine the settings format for a specific LDAP implementation from the LDAP server administrator.
-
-
Click Save. Then apply the Reconfigure & Restart action to the ADB service.
Configure LDAP authentication for ADB via ADCM
Synchronize ADB and LDAP
If LDAP authentication is configured successfully, the following operations are performed in ADB automatically:
-
Upgrade of the pg_hba.conf file. The following entry about LDAP authentication is added to the pg_hba.conf file, which is located in the data directory of the master host (/data1/master/gpseg-1/ in the following example):
# BEGIN LDAP host all +ldap_users 0.0.0.0/0 ldap ldapserver=<URI> ldapbasedn="<Users baseDN>" ldapbinddn="<SA Login>" ldapbindpasswd="<Password>" ldapsearchattribute="<attribute>" # END LDAP
where:
-
ldap_users— a name of the ADB role, to which all LDAP users will be added. -
<URI>,<Users baseDN>,<SA Login>,<Password>— values of the eponymous parameters of the ADB service. -
<attribute>— the LDAP attribute; this value will be used as a name of each role in ADB when synchronizing users. Possible values:-
sAMAccountName— for MS AD. -
uid— for FreeIPA.
-
-
-
Synchronization of ADB users and groups with LDAP. Information about LDAP users and groups, which meet the selection criteria specified in the configuration step, is added to the ADB database. Synchronization is performed via the pg-ldap-sync utility. To ensure successful synchronization, you can run the following query against the
pg_rolestable:SELECT rolname FROM pg_roles;As the SQL command output shows, the following roles are automatically created in ADB after successful LDAP synchronization:
-
ldap_users— a role into which all LDAP users are added (by running theCREATE ROLE … LOGIN IN ROLE ldap_users …command automatically). -
ldap_groups— a role into which all LDAP groups are added (by running theCREATE ROLE … NOLOGIN IN ROLE ldap_groups …command automatically). -
ffedorov,ppetrov,ssemenov,zeptest— all users received from the LDAP server and added to theldap_usersrole. -
ADCM,ADH,Adccadmins,Analysts,Managers— all groups received from the LDAP server and added to theldap_groupsrole. The membership of users in these groups is set automatically by runningGRANT.
rolname ------------- gpadmin gpmon ldap_users ldap_groups ADCM ADH Adccadmins Analysts Managers ffedorov ppetrov ssemenov zeptest (13 rows)
-
Use LDAP over SSL
There are two methods to establish secure connections between ADB and LDAP servers:
-
LDAPS (LDAP over SSL/TLS) works by establishing a secure TLS tunnel before any LDAP traffic flows. It typically uses a dedicated port (636) to which clients connect directly.
-
With StartTLS, a connection starts as a plaintext LDAP connection, and then the client sends a special
StartTLSextended operation to request TLS encryption. It typically uses a regular LDAP port — 389.
To use ADB with LDAP over SSL, configure your LDAP server and select one of these two methods in the LDAP encryption configuration parameter of the ADB service.
In the examples below, val-pam.ru-central1.internal is used as the LDAP server hostname.
Make sure to change it to your actual LDAP server hostname when running the commands.
Configure LDAP server to use SSL
The following steps provide an example of setting up SSL encryption for OpenLDAP on Ubuntu 22.04. If your LDAP server already has SSL configured, you can skip the first section — make sure to add the CA certificate to the ADB master host and then enable LDAPS or StartTLS in ADB.
-
Create a directory for the certificates and navigate into it:
$ sudo mkdir -p /etc/ldap/ssl && cd /etc/ldap/ssl -
Create the self‑signed CA certificate:
$ sudo openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 3650 -subj "/CN=My Certificate Authority" -
Generate a server private key and a Certificate Signing Request (CSR). In the
Common Name (CN)field, provide the LDAP server address that is accessible from the ADB master host.$ sudo openssl req -new -nodes \ -out server.csr \ -keyout server.key \ -subj "/CN=val-pam.ru-central1.internal" \ -addext "subjectAltName = DNS:val-pam.ru-central1.internal" -
Sign the server CSR with the CA to obtain the server certificate:
$ sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -
Set permissions for the generated files:
$ sudo chown -R openldap:openldap /etc/ldap/ssl/ $ sudo chmod 600 /etc/ldap/ssl/server.key $ sudo chmod 644 /etc/ldap/ssl/server.crt /etc/ldap/ssl/ca.crt -
Configure the
slapddaemon to use the generated certificates. To do so, create a tls.ldif file with the following content:dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/ca.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key -
Apply the created configuration:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldifThe output should be as follows:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
-
Open the /etc/default/slapd file and add
ldaps:///to theSLAPD_SERVICESparameter, so that the resulting line looks as follows:SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"This setting makes the LDAP server listen on ports 636 (LDAPS) and 389 (unencrypted LDAP). Unencrypted LDAP can be used for StartTLS, which upgrades the connection to TLS after the initial handshake.
-
Restart
slapd:$ sudo systemctl restart slapd -
Check that the LDAPS server is listening on port 636:
$ sudo lsof -i :636The output should be similar to:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME slapd 114824 openldap 10u IPv4 184207 0t0 TCP *:ldaps (LISTEN) slapd 114824 openldap 11u IPv6 184208 0t0 TCP *:ldaps (LISTEN)
Add the certificate to the master host
For ADB to validate the LDAP server identity, the CA certificate must be present on the master host. If it’s a self-signed certificate (as in the example above), you must also add it to your operating system trust store.
-
On the master host, create a directory for the CA certificate file:
$ sudo mkdir -p /etc/ldap/ssl -
Copy the CA certificate file from the LDAP server to that directory on the master host:
$ scp user@val-pam.ru-central1.internal:/etc/ldap/ssl/ca.crt /tmp/ca.crt $ sudo cp /tmp/ca.crt /etc/ldap/ssl/ -
Set the permissions for the CA certificate file as follows:
$ sudo chmod 644 /etc/ldap/ssl/ca.crt -
Install the CA certificate in the trust store:
$ sudo cp /etc/ldap/ssl/ca.crt /usr/local/share/ca-certificates $ sudo update-ca-certificates
Check secure connections
Before making changes in ADB, you can optionally check that encrypted LDAP connections can be established from the ADB master host to the configured LDAP server.
To check LDAPS, on the ADB master host, run:
$ ldapsearch -H ldaps://val-pam.ru-central1.internal -D cn=admin,dc=ru-central1,dc=internal -W -b "dc=ru-central1,dc=internal" -s base
To check using StartTLS, on the ADB master host, run:
$ ldapsearch -H ldap://val-pam.ru-central1.internal -ZZ -D cn=admin,dc=ru-central1,dc=internal -W -b "dc=ru-central1,dc=internal" -s base
In both cases, the output should contain the Success result.
# extended LDIF # # LDAPv3 # base <dc=ru-central1,dc=internal> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ru-central1.internal dn: dc=ru-central1,dc=internal objectClass: top objectClass: dcObject objectClass: organization o: ru-central1.internal dc: ru-central1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Enable LDAPS in ADB
-
Open the configuration parameters of the ADB service in ADCM.
-
Switch on the UI LDAP authentication toggle and configure the following LDAP parameters:
-
URI — enter the LDAP server address in the
<host>:<port>format. For LDAPS, the port is usually 636. For example,val-pam.ru-central1.internal:636. -
LDAP encryption — select
ldaps.
-
-
All other LDAP parameters can be configured as shown for regular LDAP.
-
Click Save and then run the Reconfigure & Restart action of the ADB service to apply the changes.
If the Reconfigure & Restart action completes successfully, the pg_hba.conf file gets a new rule for members of the ldap_users group.
This rule includes the LDAP server address with the ldaps scheme, which enables LDAPS.
The resulting LDAP configuration section in the pg_hba.conf file should look as follows:
# BEGIN LDAP host all +ldap_users 0.0.0.0/0 ldap ldapserver=ldaps://val-pam.ru-central1.internal:636 ldapbasedn="ou=People,dc=ru-central1,dc=internal" ldapbinddn="cn=admin,dc=ru-central1,dc=internal" ldapbindpasswd="12345" ldapsearchattribute="uid" # END LDAP
You can now check LDAP authentication — for users from the ldap_users group, ADB will connect to the LDAP server using LDAPS.
Enable StartTLS in ADB
-
Open the configuration parameters of the ADB service in ADCM.
-
Switch on the UI LDAP authentication toggle and configure the LDAP parameters:
-
URI — enter the LDAP server address in the
host:portformat. A regular LDAP port, 389, is usually used for StartTLS. For example,val-pam.ru-central1.internal:389. -
LDAP encryption — select
starttls.
-
-
All other LDAP parameters can be configured as shown for regular LDAP.
-
Click Save and then run the Reconfigure & Restart action of the ADB service to apply the changes.
If the Reconfigure & Restart action completes successfully, the pg_hba.conf file gets a new rule for members of the ldap_users group.
This rule includes the ldaptls=1 option, which enables TLS encryption via the StartTLS operation.
The resulting LDAP configuration section in the pg_hba.conf file should look as follows:
# BEGIN LDAP host all +ldap_users 0.0.0.0/0 ldap ldapserver=val-pam.ru-central1.internal:389 ldaptls=1 ldapbasedn="ou=People,dc=ru-central1,dc=internal" ldapbinddn="cn=admin,dc=ru-central1,dc=internal" ldapbindpasswd="12345" ldapsearchattribute="uid" # END LDAP
You can now check LDAP authentication — for users from the ldap_users group, ADB will connect to the LDAP server using StartTLS.
Check LDAP authentication
To check that LDAP authentication is properly configured in ADB, you can run psql to connect to ADB using the name of any LDAP user as the -U argument (ffedorov in the following example).
$ psql adb -h <Master host name or IP address> -U "ffedorov"
If LDAP authentication is configured successfully, you will be prompted to enter the user password. After entering the correct password (assigned on the LDAP server side), the user can access the database.
Password for user ffedorov: psql (9.4.26) Type "help" for help. adb=>