These are the steps for other LDAP setup in netezza
Install the correct rpm based on your rhel version 6.5 with root user openldap-clients-x.x.xx-xx.elx.x86_64.rpm
First make sure ldapsearch works from the nz host, Example as I did in edw-ntz-0a1-lq
[root@XXXX ~]# ldapsearch -h 100.172.83.15 -b "DC=domestic,DC=gutu,DC=com" "(&(memberOf=CN=GCEDW-NETEZZA-GRP,OU=Netezza,OU=Security Groups - Global,OU=Corporate,DC=domestic,DC=guitarcenter,DC=com))" -D "CN=svcNTZ-LDAPS-prod,OU=LDAPRefAccounts,OU=Service Accounts,OU=Special,DC=domestic,DC=gutu,DC=com" -w 'password' |grep -i samaccountname
If that is not working there could be a network issue that needs to be investigated, is not worth to configure ldap if we cannot reach the ldap server from the netezza hosts or contact with your window admin for LDAP or active directory.
Once the ldapsearch is confirmed to work:
su - nz
nzsql as admin
Run following command to setup ldap, I'm assuming the LDAP server and settings are the same for all NZ machines
SYSTEM.ADMIN(ADMIN)=>SET AUTHENTICATION LDAP BASE
'DC=domestic,DC=gutu,DC=com' SERVER '100.172.83.15'
BINDDN 'CN=svcNTZ-LDAPS-prod,OU=LDAPRefAccounts,OU=Service
Accounts,OU=Special,DC=domestic,DC=guitarcenter,DC=com' PORT '389'
BINDPW
'password' SCOPE SUB ATTRNAME 'sAMAccountName' NAMECASE lowercase
SSL 'off';
SYSTEM.ADMIN(ADMIN)=>\q
Restart NPS to apply changes
SYSTEM.ADMIN(ADMIN)=>\q
Restart NPS to apply changes
$nzstop
$nzstart &
Once NPS is back online check the configuration files
As root
vi /etc/pam_ldap.conf
# comment out any uri line pointing to 127.0.0.1
#uri ldap://127.0.0.1/
####Make sure
scope SUB
IMP :- Compare files with this expected output from the configured NZ box
[root@edw-ntz-0a1-lq ~]# egrep -v '^(#|$)' /etc/pam_ldap.conf
host 10.192.83.13
base DC=domestic,DC=gutu,DC=com
binddn CN=svcNTZ-LDAPS-prod,OU=LDAPRefAccounts,OU=Service Accounts,OU=Special,DC=domestic,DC=gutu,DC=com
bindpw password
port 389
scope SUB
pam_login_attribute sAMAccountName
ssl off
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[root@edw-ntz-0a1-lq ~]# egrep -v '^(#|$)' /nz/data/config/pam_ldap.conf
host 10.192.83.13
base DC=domestic,DC=gutu,DC=com
binddn CN=svcNTZ-LDAPS-prod,OU=LDAPRefAccounts,OU=Service Accounts,OU=Special,DC=domestic,DC=gutu,DC=com
bindpw Password
port 389
scope SUB
pam_login_attribute sAMAccountName
ssl off
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
If there is any difference betewen /nz/data/config/pam_ldap.conf and /etc/pam_ldap.conf just cp /etc/pam_ldap.conf /nz/data/config/pam_ldap.conf to make sure the files are consistent
Once the files are in place we just test
To connect to DB you must use always pw from ldap
unset NZ_PASSWORD
nzsql -d DGCRODS -u manish.jaiswal
nzsql -d DGCRODS -u manish.jaiswal
User in NZ can be without a password of different than ldapd but it has to match the username
If you need to troubleshoot add debug to /etc/pam.d/netezza_nps
#%PAM-1.0
auth required pam_ldap.so debug
account required pam_ldap.so
password required pam_ldap.so
TO Disable LDAP login for complete server on IBM netezza
Nzsql> SET AUTHENTICATION local;
TO Disable LDAP login for a single users
NZSQL> Alter user MJAISWAL auth local;
If you want to revert again to LDAP logiin
NZSQL> Alter user MJAISWAL AUTH DEFAULT; -- ( IF LDAP is setup for full netezza server)
No comments:
Post a Comment