User Authentication Using LDAP

A NuoDB database user can either be an internal NuoDB database user or one that will be authenticated using an LDAP server. An internal NuoDB database user is created with the command:

CREATE USER username PASSWORD 'password';

An external NuoDB database user, one that will be authenticated via an LDAP server, is created with the command:

CREATE USER username EXTERNAL;

Using authentication via an LDAP server allows the DBA to minimize administrative duties, since your users will be able to reuse their existing account to access their NuoDB database.

You will not be able to create an external user where an internal user already exists with the same name. You will not be able to create an internal user where an external user already exists with the same name.

See CREATE USER for more information.

Configuring the Transaction Engine for LDAP Authentication

There are five required database options that must be specified for any TE that supports LDAP authentication. They are:

Option Name

Option Argument

Description

ldap-dn ldapDN

Required for LDAP authentication. Use the Distinguished Name ldapDN to bind to the LDAP directory.

Example:

ldap-dn 'cn=Manager,ou=people,dc=example,dc=com'

ldap-pass ldapPassword Required for LDAP authentication. LDAP password for simple authentication.
ldap-base ldapBase

Required for LDAP authentication. Starting point for the LDAP search instead of the default

Example:

'ou=people,dc=example,dc=com'

ldap-type unixwindows Required for LDAP authentication. LDAP server type. Only unix or windows is allowed.
ldap-uri ldapURI

Required for LDAP authentication. Specify URI referring to the LDAP server(s)

Example:

'ldap://localhost:389'

In addition, the following three options are optional:

Option Name

Option Argument

Description

ldap-conf ldapConf Optional. LDAP path to ldap.conf file to use (see man ldap.conf - Linux only)
ldap-ca ldapCA Optional. LDAP CA certificate to validate server certificate for ldaps (Linux only)
ldap-lib ldapLib Optional. LDAP openldap library name (Linux only)

If, in your database, you have one or more TEs with LDAP authentication configured and one or more TEs without LDAP authentication, you will see different behavior depending on with which TE the current client is connected. The database itself will have only one entry per user and that entry will be marked as either external or not (see PASSWORDS System Table Description). If the user is external and the client tries to connect to a TE without LDAP authentication, then the user will not authenticate. If the user was not created with CREATE USER username EXTERNAL, the TE will not attempt to authenticate the user via LDAP regardless of whether or not the TE to which the client is connected supports LDAP authentication.

Network Encryption Prerequisites

To use LDAP, NuoDB clients must be configured to use TLS. The connection between the Transaction Engine and the LDAP server can either be encrypted or not. Depending on your security measurements, you can either choose LDAP or LDAPS.

Note: LDAP is not supported with older NuoDB clients that use SRP.