User Authentication Using LDAP

A NuoDB database user can either be an internal NuoDB database user or one that will be authenticated using an LDAP server. An internal NuoDB database user is created with the command:

CREATE USER username PASSWORD 'password';

An external NuoDB database user, one that will be authenticated via an LDAP server, is created with the command:

CREATE USER username EXTERNAL;

Using authentication via an LDAP server allows the DBA to minimize administrative duties, since your users will be able to reuse their existing account to access their NuoDB database. NuoDB LDAP support is currently a preview feature. Specifically, LDAP support is insecure in the current release as passwords are sent in plain text.

Caution: NuoDB encourages you to use preview features in your development projects. However, the use of preview features in production is not supported.

You will not be able to create an external user, that is you will not be able to use CREATE USER username EXTERNAL, until all transaction engines in the current database are updated to a release equal to or greater than NuoDB 2.4. If an older database process is running in your database, you will receive this error message:

External users are not supported by this version of the database until the upgrade process has been completed

You will not be able to create an external user where an internal user already exists with the same name. You will not be able to create an internal user where an external user already exists with the same name.

See CREATE USER for more information.

Configuring the Transaction Engine for LDAP Authentication

There are five required database options that must be specified for any TE that supports LDAP authentication. They are:

Option Name

Option Argument

Description

ldap-dn ldapDN

Required for LDAP authentication. Use the Distinguished Name ldapDN to bind to the LDAP directory.

Example:

ldap-dn 'cn=Manager,ou=people,dc=example,dc=com'

ldap-pass ldapPassword Required for LDAP authentication. LDAP password for simple authentication.
ldap-base ldapBase

Required for LDAP authentication. Starting point for the LDAP search instead of the default

Example:

'ou=people,dc=example,dc=com'

ldap-type unixwindows Required for LDAP authentication. LDAP server type. Only unix or windows is allowed.
ldap-uri ldapURI

Required for LDAP authentication. Specify URI referring to the LDAP server(s)

Example:

'ldap://localhost:389'

In addition, the following three options are optional:

Option Name

Option Argument

Description

ldap-conf ldapConf Optional. LDAP path to ldap.conf file to use (see man ldap.conf - Linux only)
ldap-ca ldapCA Optional. LDAP CA certificate to validate server certificate for ldaps (Linux only)
ldap-lib ldapLib Optional. LDAP openldap library name (Linux only)

If, in your database, you have one or more TEs with LDAP authentication configured and one or more TEs without LDAP authentication, you will see different behavior depending on with which TE the current client is connected. The database itself will have only one entry per user and that entry will be marked as either external or not (see PASSWORDS System Table Description). If the user is external and the client tries to connect to a TE without LDAP authentication, then the user will not authenticate. If the user was not created with CREATE USER username EXTERNAL, the TE will not attempt to authenticate the user via LDAP regardless of whether or not the TE to which the client is connected supports LDAP authentication.