Greenplum Database supports LDAP, LDAP + TLS and LDAP/SSL authentication methods. This is an example of how to authenticate database users to Microsoft Active Directory.

To get started, find the hostname of the Domain Controller (DC). This information is found in the environment variables through a command prompt.

echo %LOGONSERVER%
\\MYDC
echo %USERDNSDOMAIN%
LAB.LOCAL
echo %USERDOMAIN%
CORP

The goal of this of this article is to explain how to make a fully qualified name of a domain controller. In this example, it would be "mydc.lab.local". If not on the same network as the database, ask for the name of a DC that is 'closer' to the database.

Test LDAP connectivity from the Greenplum master server using the ldapsearch utility from the openldap-clients package. It is necessary to have Active Directory login credentials.

The following command connects a user as CORP\mylogin and will prompt for the password. It will display the Common Name and the SAM Account Name commonly used to login to AD.

ldapsearch -x -h mydc.lab.local -D 'CORP\mylogin' -W -b 'DC=CORP,DC=LAB,DC=LOCAL' 'samAccountName=mylogin' cn sAMAccountName

For secure connections to the DC, install the domains public certificate. Retrieve this as member pc/server in the AD domain. Using the mmc console, add the Certificates snap-in to manage "My user account".

Under Trusted Root Certificate Authorities, locate your domains root certificate. Copy this certificate to disk as Base-64 encode x.509 and make note of where it is saved. Copy this file onto the Greenplum Master server.

On the Greenplum master, you an OpenLDAP should be installed. In /etc/openldap create a directory named cacerts if there is not one there already. Copy the domains public certificate to /etc/openldap/cacerts.
 

In /etc/openldap/ldap.conf, observe the following:

TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

Test the secure connection to port 389 + TLS.

ldapsearch -x -h mydc.lab.local -p 389 -Z -D 'CORP\mylogin' -W -b 'DC=CORP,DC=LAB,DC=LOCAL' 'samAccountName=mylogin' cn sAMAccountName

Test port 636 with SSL.

ldapsearch -H 'ldaps://mydc.lab.local' -D 'corp\oconnb27' -W -b 'DC=CORP,DC=LAB,DC=COM''samAccountName=mylogin' cn sAMAccountName

Configure pg_hba.conf to allow ldap authentication.
 

host all all 0.0.0.0/0 ldap ldapserver=mydc.lab.local ldapprefix="CORP\" ldapsuffix=""

host all all 0.0.0.0/0 ldap ldapport="389" ldaptls=1 ldapserver=mydc.lab.local ldapprefix="CORP\" ldapsuffix=""

host all all 0.0.0.0/0 ldap ldapserver="ldaps://mydc.lab.local" ldapprefix="CORP\" ldapsuffix=""

For secure ldap methods, configure gpadmin's environment variable LDAPCONF.

export LDAPCONF=/etc/openldap/ldap.conf

Setting this for the first time will require a restart of the database as it is needed to be set before the database is started. Further changes to pg_hba.conf do not require this.

To stop and restart the database. Run the following command:

gpstop -M fast
gpstart

Set only the database to read the pg_hba.conf:

gpstop -u

Add database users and set the required permissions for each AD login that needs access to the database.

Refer to Using LDAP Authentication with TLS/SSL for more information: