Product Documentation

Appearance

Setting Up Authentication

To set up LDAP authentication, follow these steps:

  1. Log into a database on your appliance as the yellowbrick user and manually create the superusers that your system needs to authenticate (via LDAP credentials). Use the CREATE ROLE command or the SMC for this purpose; do not provide passwords for these users. The usernames you create must match the usernames in your LDAP directory.

  2. In the SMC, go to Configure > LDAP > Authentication.

  3. Optionally, set up a login trace that runs on the Yellowbrick server and displays messages for LDAP login attempts directly via the SMC. Click Login Trace in the top-right corner of the screen, then run the ybsql command from a client machine as instructed.

In this example, the ybsql command has been run, and the login trace is returning messages to the SMC:

  1. Choose the LDAP mode: Bind, or Search, then Bind. Then fill out the associated fields. The requirements vary based on both the LDAP mode and the type of LDAP Server (Active Directory, OpenLDAP, and so on). See LDAP Authentication Modes.

  2. Test the login for the superusers you created. You should see a "login successful" message, and confirmation that the user exists and belongs to at least one database. (The user may be able to log in but not connect to a database; you may need to create or synch the user in the database and grant privileges as needed. See the following steps.)

Note: You may be able to import a trusted certificate when you test LDAP logins. If you have imported a root or intermediate certificate for the authority that issued the LDAP server certificate, but the server certificate itself has not been imported, click Set Trusted Certificates. (See also Importing Certificates.)

  1. If the test was successful, click Save Settings. If not, go back and check all of your settings for accuracy.

  2. Create all of your regular database users either manually or by synchronizing with the LDAP server:

  • Log into the database as a new LDAP-authenticated superuser and use that account to create all of the regular users on the appliance. Use CREATE ROLE or the SMC to create database users.

    Note: Create users without passwords; LDAP passwords will be used.

  • Follow the steps under Synchronizing Users and Groups. Note: Any users that are local to the Yellowbrick database and have local passwords will be able to log into the database without LDAP authentication.

Parent topic:LDAP Authentication