Using LDAP Authentication with TLS/SSL

    Greenplum Database supports LDAP authentication with the TLS/SSL protocol to encrypt communication with an LDAP server:

    • LDAP authentication with STARTTLS and TLS protocol – STARTTLS starts with a clear text connection (no encryption) and upgrades it to a secure connection (with encryption).

    If no protocol is specified, Greenplum Database communicates with the LDAP server with a clear text connection.

    To use LDAP authentication, the Greenplum Database master host must be configured as an LDAP client. See your LDAP documentation for information about configuring LDAP clients.

    To enable STARTTLS with the TLS protocol, in the pg_hba.conf file, add an line and specify the ldaptls parameter with the value 1. The default port is 389. In this example, the authentication method parameters include the ldaptls parameter.

    Specify a non-default port with the ldapport parameter. In this example, the authentication method includes the ldaptls parameter and the ldapport parameter to specify the port 550.

    1. ldap ldapserver=myldap.com ldaptls=1 ldapport=500 ldapprefix="uid=" ldapsuffix=",ou=People,dc=example,dc=com"

    To enable a secure connection with TLS/SSL, add ldaps:// as the prefix to the LDAP server name specified in the ldapserver parameter. The default port is 636.

    This example parameter specifies a secure connection and the TLS/SSL protocol for the LDAP server myldap.com.

    1. ldapserver=ldaps://myldap.com

    If you have a system-wide OpenLDAP system and logins are configured to use LDAP with TLS or SSL in the pg_hba.conf file, logins may fail with the following message:

    1. could not start LDAP TLS session: error code '-11'

    To use an existing OpenLDAP system for authentication, Greenplum Database must be set up to use the LDAP server’s CA certificate to validate user certificates. Follow these steps on both the master and standby hosts to configure Greenplum Database:

    1. Copy the base64-encoded root CA chain file from the Active Directory or LDAP server to the Greenplum Database master and standby master hosts. This example uses the directory /etc/pki/tls/certs.

    2. Change to the directory where you copied the CA certificate file and, as the root user, generate the hash for OpenLDAP:

      1. # cd /etc/pki/tls/certs

    3. Configure an OpenLDAP configuration file for Greenplum Database with the CA certificate directory and certificate file specified.

      As the root user, edit the OpenLDAP configuration file /etc/openldap/ldap.conf:

      Note: For certificate validation to succeed, the hostname in the certificate must match a hostname in the URI property. Otherwise, you must also add TLS_REQCERT allow to the file.

      1. export LDAPCONF=/etc/openldap/ldap.conf

    Greenplum Database logs an error if the following are specified in an pg_hba.conf file entry:

    • If both the ldaps:// prefix and the ldaptls=1 parameter are specified.
    • If both the ldaps:// prefix and the ldapport parameter are specified.

    Enabling encrypted communication for LDAP authentication only encrypts the communication between Greenplum Database and the LDAP server.

    See Encrypting Client/Server Connections for information about encrypting client connections.

    These are example entries from an pg_hba.conf file.

    This example specifies LDAP authentication with no encryption between Greenplum Database and the LDAP server.

      This example specifies LDAP authentication with the STARTTLS and TLS protocol between Greenplum Database and the LDAP server.

      This example specifies LDAP authentication with a secure connection and TLS/SSL protocol between Greenplum Database and the LDAP server.

      1. host all ldapsuser 0.0.0.0/0 ldap ldapserver=ldaps://myldap.com ldapprefix="uid=" ldapsuffix=",ou=People,dc=example,dc=com"