LDAP Authentication

When LDAP authentication is enabled, LDAP is used to transparently authenticate logins for users who do not have local passwords. Any user account that has a database local password will be authenticated by the database, bypassing LDAP authentication. In either case, the user must first exist in Yellowbrick. If you want LDAP users to be automatically created in Yellowbrick, you can enable LDAP synchronization.

Before enabling LDAP authentication, Yellowbrick recommends that you create one or more superusers with local passwords. These user accounts will bypass LDAP authentication; regardless of the functional state of the LDAP server, these designated superusers will be able to log into and administer the database. Therefore, the yellowbrick superuser is typically not set up as an LDAP user.

If you have existing database user accounts that are currently authenticated by the database but you want them to switch to LDAP authentication, set their passwords to NULL. For example, if brick is a database user with the local password yellow, and you want future logins with this account to use LDAP authentication, run the following ALTER ROLE command:

premdb# alter role brick with password null;
ALTER ROLE

Alternatively, you can use the Users tab in the SMC to make this change. (Note that the authentication change may not be immediate and could take a minute to apply in the system.)

For information about default users that are created on the Yellowbrick appliance, see User Accounts.

Common Errors with LDAP Authentication

If a login attempt is made for a user account that exists in the LDAP directory but does not exist in Yellowbrick, the system returns an error. For example:

FATAL: role "dummy.user" does not exist

If a login attempt occurs with a username that does not exist in the LDAP directory, or an incorrect password is applied, the system returns an error. For example:

LDAP authentication failed for user "some_user"