LDAP Integration

OmniSci supports LDAP authentication using an IPA Server or Microsoft Active Directory.

You can configure OmniSci Enterprise edition to map LDAP roles 1-to-1 to OmniSci roles. When you enable this mapping, LDAP becomes the main authority controlling user roles in OmniSci.

LDAP mapping is available only in OmniSci Enterprise edition.

OmniSci supports five configuration settings that allow you to integrate with your LDAP server.

Parameter

Description

Example

ldap-uri

LDAP server host or server URI.

ldap://myLdapServer.myCompany.com

ldap-dn

LDAP distinguished name (DN).

uid=$USERNAME,cn=users,cn=accounts, dc=myCompany,dc=com

ldap-role-query-url

Returns the role names a user belongs to in the LDAP.

ldap://myServer.myCompany.com/uid=$USERNAME, cn=users, cn=accounts,dc=myCompany,dc=com?memberOf

ldap-role-query-regex

Applies a regex filter to find matching roles from the roles in the LDAP server.

(MyCompany_.*?),

ldap-superuser-role

Identifies one of the filtered roles as a superuser role. If a user has this filtered ldap role, the user is marked as a superuser.

MyCompany_SuperUser

Obtaining Credential Information

To find the ldap-role-query-url and ldap-role-query-regex to use, query your user roles. For example, if there is a user named kiran on the IPA LDAP server ldap://myldapserver.mycompany.com, you could use the following curl command to get the role information:

$ curl --user "uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com" 
"ldap://myldapserver.mycompany.com/uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf"

When successful, it returns information similar to the following:

DN: uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mycompany,dc=com
memberOf: cn=MyCompany_SuperUser,cn=roles,cn=accounts,dc=mycompany,dc=com
memberOf: cn=test,cn=groups,cn=accounts,dc=mycompany,dc=com
  • ldap-dn matches the DN, which is uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com.

  • ldap-role-query-url includes the LDAP URI + the DN + the LDAP attribute that represents the role/group the member belongs to, such as memberOf.

  • ldap-role-query-regex is a regular expression that matches the role names. The matching role names are used to grant and revoke privileges in OmniSci. For example, if we created some roles on an IPA LDAP server where the role names begin with MyCompany\_ (for example, _MyCompany__Engineering, _MyCompany_Sales, _MyCompany_SuperUser), the regular expression can filter the role names using _MyCompany\.

  • ldap-superuser-role is the role/group name for OmniSci users who are superusers once they log on to the OmniSci database. In this example, the superuser role name is MyCompany_SuperUser.

Make sure that LDAP configuration appears before the [web] section of omnisci.conf.

Double quotes are not required for LDAP properties in omnisci.conf. For example, both of the following are valid:

ldap-uri = "ldap://myldapserver.mycompany.com" ldap-uri = ldap://myldapserver.mycompany.com

Setting Up LDAP with OmniSci

To integrate LDAP with OmniSci, you need the following:

  • A functional LDAP server, with all users/roles/groups created (ldap-uri, ldap-dn, ldap-role-query-url, ldap-role-query-regex, and ldap-superuser-role) to be used by OmniSci. You can use the curl command to test and find the filters.

  • A functional OmniSci server, version 4.1 or higher.

    Once you have your server information, you can configure OmniSci to use LDAP authentication.

  • Locate the omnisci.conf file and edit it to include the LDAP parameter. For example:

    ldap-uri = "ldap://myldapserver.mycompany.com"
    ldap-dn = "uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com"
    ldap-role-query-url = "ldap://myldapserver.mycompany.com/uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf"
    ldap-role-query-regex = "(MyCompany_.*?),"
    ldap-superuser-role = "MyCompany_SuperUser"
  • Restart the OmniSci server:

    sudo systemctl restart omnisci_server
    sudo systemctl restart omnisci_web_server
  • Log on to omnisql as MyCompany user, or any user who belongs to one of the roles/groups that match the filter.

When you use LDAP authentication, the default omnisci user and password HyperInteractive do not work unless you create the omnisci user with the same password on the LDAP server. There is no authentication fallback.

If your login fails, inspect $OMNISCI_STORAGE/mapd_log/omnisci_server.INFO to check for any obvious errors about LDAP authentication.

Once you log in, you can create a new role name in omnisql, and then apply GRANT/REVOKE privileges to the role. Log in as another user with that role and confirm that GRANT/REVOKE works.

If you refresh the browser window, you are required to log in and reauthenticate.

Using LDAPS

To use LDAPS, OmniSci must trust the LDAP server's SSL certificate. To achieve this, you must have the CA for the server's certificate, or the server certificate itself. Install the certificate as a trusted certificate.

IPA on CentOS

To use IPA as your LDAP server with OmniSci running on CentOS 7:

  1. Copy the IPA server CA certificate to your local machine.

    scp root@myldapserver:/etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa-ca.pem
  2. Update the PKI certificates.

    update-ca-trust
  3. Edit /etc/openldap/ldap.conf to add the following line.

    TLS_CACERT      /etc/pki/tls/certs/ca-bundle.crt
  4. Locate the omnisci.conf file and edit it to include the LDAP parameter. For example:

    ldap-uri = "ldaps://myldapserver.mycompany.com"
    ldap-dn = "uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com"
    ldap-role-query-url = "ldaps://myldapserver.mycompany.com/uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf"
    ldap-role-query-regex = "(MyCompany_.*?),"
    ldap-superuser-role = "MyCompany_SuperUser"
  5. Restart the OmniSci server:

    sudo systemctl restart omnisci_server
    sudo systemctl restart omnisci_web_server

IPA on Ubuntu

To use IPA as your LDAP server with OmniSci running on Ubuntu:

  1. Copy the IPA server CA certificate to your local machine.

    mkdir /usr/local/share/ca-certificates/ipa
    scp root@myldapserver:/etc/ipa/ca.crt /usr/local/share/ca-certificates/ipa/ipa-ca.pem
  2. Rename ipa-ca.crm to ipa-ca.crt so that the certificates bundle update script can find it:

    mv /usr/local/share/ca-certificates/ipa/ipa-ca.pem /usr/local/share/ca-certificates/ipa/ipa-ca.crt
  3. Update the PKI certificates:

    update-ca-certificates
  4. Edit /etc/openldap/ldap.conf to add the following line:

    TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
  5. Locate the omnisci.conf file and edit it to include the LDAP parameter. For example:

    ldap-uri = "ldaps://myldapserver.mycompany.com"
    ldap-dn = "uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com"
    ldap-role-query-url = "ldaps://myldapserver.mycompany.com/uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf"
    ldap-role-query-regex = "(MyCompany_.*?),"
    ldap-superuser-role = "MyCompany_SuperUser"
  6. Restart the OmniSci server:

    sudo systemctl restart omnisci_server
    sudo systemctl restart omnisci_web_server

Active Directory

  1. Locate the omnisci.conf file and edit it to include the LDAP parameter. For example:

    ldap-uri = "ldap://myldapserver.mycompany.com"
    ldap-dn = "cn=$USERNAME,cn=users,dc=qa-mycompany,dc=com"
    ldap-role-query-url = "ldap:///myldapserver.mycompany.com/cn=$USERNAME,cn=users,dc=qa-mycompany,dc=com?memberOf"
    ldap-role-query-regex = "(OMNISCI_.*?),"
    ldap-superuser-role = "OMNISCI_SuperUser"
  2. Restart the OmniSci server:

    sudo systemctl restart omnisci_server
    sudo systemctl restart omnisci_web_server

Other LDAP user authentication attributes, such as sAMAccountName and userPrincipalName, are not currently supported in OmniSci.

Last updated