LDAP Integration

OmniSci supports LDAP authentication using an IPA Server or Microsoft Active Directory.

OmniSci can be configured to map LDAP roles 1-to-1 to OmniSci roles. When you enable this mapping, LDAP becomes the main authority controlling a user's roles in OmniSci.

OmniSci supports five configuration settings that allow you to integrate with your LDAP server.

LDAP Configuration Flags for OmniSci Server
ParameterDescriptionExample
--ldap-uri LDAP server host or server URI. ldap://myLdapServer.myCompany.com
--ldap-dn LDAP distinguished name (DN). uid=$USERNAME,cn=users,cn=accounts,dc=myCompany,dc=com
--ldap-role-query-url Returns the role names a user belongs to in the LDAP. ldap://myServer.myCompany.com/uid=$USERNAME,cn=users, cn=accounts,dc=myCompany,dc=com?memberOf
--ldap-role-query-regex Applies a regex filter to find matching roles from the roles in the ldap server. (MyCompany_.*?),
--ldap-superuser-role Identifies one of the filtered roles as a superuser role. If a user has this filtered ldap role, the user is marked as a superuser. MyCompany_SuperUser

Obtaining Credential Information

To find the --ldap-role-query-url and --ldap-role-query-regex to use, query your user roles. For example, if there is a user named kiran on the IPA LDAP server ldap://myldapserver.mycompany.com, you could use the following curl command to get the role information: 

$ curl --user "uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com" 
"ldap://myldapserver.mycompany.com/uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf"

When successful, it returns information similar to the following: 

DN: uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com

memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mycompany,dc=com

memberOf: cn=MyCompany_SuperUser,cn=roles,cn=accounts,dc=mycompany,dc=com

memberOf: cn=test,cn=groups,cn=accounts,dc=mycompany,dc=com
  • --ldap-dn matches the DN, which is uid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com.
  • --ldap-role-query-url includes the LDAP URI + the DN + the LDAP attribute that represents the role/group the member belongs to, such as memberOf.
  • --ldap-role-query-regex is a regular expression that matches the role names. The matching role names are used to grant and revoke privileges in OmniSci. For example, if we created some roles on an IPA LDAP server where the role names begin with MyCompany_ (for example, MyCompany_Engineering, MyCompany_Sales, MyCompany_SuperUser), the regular expression can filter the role names using MyCompany_.
  • --ldap-superuser-role is the role/group name for OmniSci users who are superusers once they log on to the OmniSci database. In this example, the superuser role name is MyCompany_SuperUser.

    • Setting Up LDAP with OmniSci

    To integrate LDAP with OmniSci, you need the following:

    • A functional LDAP server, with all users/roles/groups created (--ldap-uri, --ldap-dn, --ldap-role-query-url, --ldap-role-query-regex, and --ldap-superuser-role) to be used by OmniSci. You can use the curl command to test and find out the filters.
    • A functional OmniSci server, version 4.1 or higher.

    Once you have your server information, you can configure OmniSci to use LDAP authentication.

    Log in to OmniSci server, and start the OmniSci Server with the following command line options: 

    ./startmapd --data $HOME/data --ldap-uri ldap://myldapserver.mycompany.com
--ldap-dn 'uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com'
--ldap-role-query-url 'ldap://myldapserver.mycompany.com/uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf' 
--ldap-role-query-regex '(MyCompany_.*?),' 
--ldap-superuser-role 'MyCompany_SuperUser' &

    When the OmniSci server starts, you can log on to mapdql as myCompany user, or any user who belongs to one of the roles/groups that matched the filter.

    ImportantWhen you use LDAP authentication, the default mapd user and password HyperInteractive do not work unless you create the mapd user with the same password on the LDAP server. There is no authentication fallback.

    If your log in fails, you can inspect $MAPD_DATA/mapd_log/mapd_server.INFO to see if there are any obvious errors about LDAP authentication.

    Once you log in, you can create a new role name in mapdql, and then apply GRANT/REVOKE privileges to the role. Log in as another user with that role and confirm that GRANT/REVOKE works.

    Using LDAPS

    To use LDAPS, OmniSci must trust the LDAP server's SSL certificate.

    To achieve this, you need the CA for the server's certificate, or the server certificate itself. Install the certificate as a trusted certificate.

    IPA/Centos

    The commands below demonstrate how to use IPA as your LDAP server with OmniSci running on CentOS 7.

    Copy the IPA server CA certificate to your local machine.

    scp root@myldapserver:/etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa-ca.pem

    Update the PKI certificates.

    update-ca-trust

    Edit /etc/openldap/ldap.conf to add the following line. 

    TLS_CACERT      /etc/pki/tls/certs/ca-bundle.crt

    Start OmniSci server, connecting to LDAPS.

    ./startmapd --data $HOME/data
--ldap-uri ldaps://myldapserver.mycompany.com
--ldap-dn 'uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com' --ldap-role-query-url 'ldaps://myldapserver.mycompany.com/uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf'
--ldap-role-query-regex '(MyCompany_.*?),'
--ldap-superuser-role 'MyCompany_SuperUser' &

    IPA / Ubuntu

    The commands below demonstrate how to use IPA as your LDAP server with OmniSci running on Ubuntu.

    Copy the IPA server CA certificate to local machine.

    mkdir /usr/local/share/ca-certificates/ipa
scp root@myldapserver:/etc/ipa/ca.crt /usr/local/share/ca-certificates/ipa/ipa-ca.pem

    Rename the file to crt, otherwise the certificates bundle update script does not find it.

    mv /usr/local/share/ca-certificates/ipa/ipa-ca.pem /usr/local/share/ca-certificates/ipa/ipa-ca.crt

    Update the PKI certs

    update-ca-certificates

    Edit /etc/openldap/ldap.conf to add the following line. 

    TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

    Start OmniSci server, connecting to LDAPS

    ./startmapd --data $HOME/data --ldap-uri ldaps://myldapserver.mycompany.com
--ldap-dn 'uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com' --ldap-role-query-url 'ldaps://myldapserver.mycompany.com/uid=$USERNAME,cn=users,cn=accounts,dc=mycompany,dc=com?memberOf'
--ldap-role-query-regex '(Mapd_.*?),'
--ldap-superuser-role 'Mapd_SuperUser' &

    Active Directory

    Active Directory uses cn attribute for the domain name (DN). Rather than using the UID, as on the IPA LDAP Server, you use the cn attribute as in the following example. 

    ./startmapd --data $HOME/data 
--ldap-uri ldap://10.1.0.104 --ldap-dn 'cn=$USERNAME,cn=users,dc=qa-mycompany,dc=com' --ldap-role-query-url 'ldap://10.1.0.104/cn=$USERNAME,cn=users,dc=qa-mycompany,dc=com?memberOf' 
--ldap-uri ldap://10.1.0.104 --ldap-dn 'cn=$USERNAME,cn=users,dc=qa-mapd,dc=com' --ldap-role-query-url 
--ldap-role-query-regex '(Mapd_.*?),'
--ldap-superuser-role 'Mapd_SuperUser' &
    NoteOther LDAP user authentication attributes, such as sAMAccountName and userPrincipalName, are not currently supported in OmniSci.