Netezza by default uses username and passwords to control access unless you have setup LDAP.
First off, remember that LDAP has to be setup first, and you have to issue the nzstop/nzstart command for the changes to take effect.
Secondly, remember to stop the ldap local authentication. Ldap by default attempts to authenticate against the localhost, because of the entry in the file /nz/data/config/ldap.conf which is used for configuration.
This is done by removing the line from /etc/ldap.conf, or hashing it out as below :
#uri ldap://127.0.0.1/
Now copy the /etc/ldap.conf file over the /nz/data/config/ldap.conf file.
cp /etc/ldap.conf /nz/data/config/ldap.conf
Here we have ldap defined on the system.
Now we can check the authentication.
SYSTEM(ADMIN)=> show authentication; AUTH_OPTION | AUTH_VALUE -----------------------+------------ AUTHENTICATION METHOD | LDAP (1 row)
This means that all authetication is done through the LDAP server. This is defined in the /nz/data/config/ldap.conf file.
To change back, you can use the command:
SYSTEM(ADMIN)=> set authentication local; SET AUTHENTICATION
SYSTEM(ADMIN)=> show authentication; AUTH_OPTION | AUTH_VALUE -----------------------+------------ AUTHENTICATION METHOD | LOCAL (1 row)
Remember you have to issue the nzstop and nzstart command for it to take effect.
If you are going to setup LDAP, this is set in the following manner:
set authentication ldap base “dc=clientsetting1,dc=clientsetting2″ server “clientserver” port “clientport” version “3″ scope “sub” ssl “off” attrname “sAMAccountName” binddn “cn=NetezzaUserOnLdap,ou=A,dc=clientsetting1,dc=clientsetting2″ bindpw “NetezzaPasswordOnLdap”;show authentication all;
This will allow you to setup Ldap and logging. However, users other than Admin will be unable to log in unless they exist on the Ldap server at this point.
Remember to issue the nzstop and nzstart command after the changes to ensure the system re-reads the configuration.
To create a user which is authenticated locally with Ldap enabled, use the following command:
create user userX password 'passwd' auth local;
To modify a current user to be locally authenticated with ldap enabled, use the following command:
SYSTEM(ADMIN)=> c nzdb dbs dbsdbs LDAP authentication failed for user 'DBS' Previous connection kept SYSTEM(ADMIN)=> alter user dbs auth local; ALTER USER SYSTEM(ADMIN)=> c nzdb dbs dbsdbs
You are now connected to database nzdb as user dbs.
Just figured out. Have to comment a line in /etc/ldap.conf.
#uri ldap://127.0.0.1/
And copy:
cp /etc/ldap.conf /nz/data/config/ldap.conf
Also note that Netezza document mentions have to run nzstop and nzstart after making changes to authentication mode.
[Translate]
Excellent. Yes, you do have to restart nz to have the changes take effect, and to stop ldap authenticating locally you do need to remove the localhost reference for the ldap server.
Thanks, will update the document. Glad you resolved the problem.
Cheers, Gary.
[Translate]
Hi James,
Did you create the user with authentication LDAP or default ? If Default and the database authentication is set to local then LDAP will not be checked, but you should be able to check by logging in with the normal username and password as required. From my knowledge, you can set authentication at database level of either ldap or local, or you can set it per user, therefore try :
create user user1 with password ‘password’ authentication ldap;
I don’t have a system here to test on, will try when I get a change and update the document.
You should also check in the log files, the failure to authenticate on Ldap will be listed in there.
Cheers, Gary.
[Translate]
How do you create a LDAP user in NZSQL? Something like this?
CREATE USER loginname auth default;
It didn’t work for me (can’t log in), wondering if we need to specify the domain name in it.
[Translate]
Hi James,
Yes, under server you will have to specify the LDAP server to which you want to connect. If the system is on a domain and the LDAP is on the same domain, you will require the server domain name in there, such as :
server “exampleserver.africa.nedcor.net”
Many items has the default values so you need not define them all.
Check in the logs for any errors regarding LDAP to troubleshoot.
Change your user to authenticate with LDAP using the command:
alter user user1 authentication LDAP;
You can also check the default with the command:
system (admin) => SHOW AUTHENTICATION ALL;
So you should be able to check the default authentication, switch to LDAP and modify the user.
[Translate]
Thanks for the response Gary.
I already have the LDAP server and other values set up and default authentication is ldap. Just when I create a user and tried to log in it won’t authenticate under Netezza.
[Translate]