README.ldap ----------- Revision: 2010-07-20 SQLR supports using a remote LDAP server to authenticate users. This document provides additional notes on the SQLR support for LDAP and platform dependencies. To use the LDAP authentication you need an LDAP server. The Microsoft Active Directory server is accessible through the LDAP protocol and may be used. When enabled, SQLR binds to the LDAP server upon a new connection with the credentials passed by the driver. Also the list of access groups specified for the DSN is verified against LDAP (requires LDAP base to be specified). In addition, a LDAP search expression is supported to specify additional requirements. When an LDAP filter is present, a user is considered to be authorized if a result is returned by the LDAP server. When no additional search condition is present (LdapFILTER), the user is assumed to be authorized if binding to the LDAP server with the credentials succeeds. This can be a problem when anonymous binding is allowed and no password is provided. In this case, the LDAP server may authorize a user although no valid account exists. In this case it is recommended to add an LdapFILTER condition or disable anonymous binding on the LDAP server. Please notice that the latter may impact other applications. Please note: When using a Windows AD as an LDAP server, then the value of the user id must match the DisplayName attribute of the user account, NOT the CN. An account can only authenticate with just a UserID in a simple bind if the DisplayName is the same as the UserID. Configuration directives The ODBC server may be configured per DSN to use an external LDAP server for authenticating users. The following config items may be specified: Security = ldap Setting "Security = LDAP" enables the LDAP lookup. The server process needs to be restarted if the LDAP was enabled in a DSN for the first time after the server was started. In this case the server will return an error message on a connection attempt. LdapURI This specifies the uri of the LDAP server. Syntax: {ldap|ldaps}://server[:port] [...] When the ldaps protocol is specified, an encrypted connection is used. Server specifies the name or IP address (and optional port number) of the LDAP server. The default port number is defined by the protocol. Multiple servers may be specified, separated by spaces. For example: LdapURI = ldap://ldap.marxmeier.com Please notice: To use an encrypted LDAP connection on Windows, the server certificate needs to be imported and the host name used for connecting needs to match the certificate subject. LdapCertsDir This is used on HP-UX to specify the directory holding the certificate database cert8.db and key3.db. These are required for an encrypted LDAP connection. The default is /etc/opt/sqlr2/certs For example: LdapCertsDir = /etc/opt/sqlr2/certs This config item has no effect on other platforms. LdapTimeout Numeric value, specifying the timeout (in ms) contacting the LDAP server. A zero value specifies the platform defaults. The default is zero. LdapBASE Specifies the search base if a filter is present. If specified and access groups are used for a DSN then LDAP will be used to verify group membership. For example: LdapBASE = cn=users,dc=marxmeier,dc=com LdapFILTER Specifies an additional condition to be verified by the LDAP server. This is optional. If specified, the LdapBASE config item needs to be present. For example: LdapFILTER = (memberOf=cn=ODBC,cn=users,dc=marxmeier,dc=com) This example verifies if the user is a member of the specified group. The filter needs to follow the LDAP conventions and can query arbitrary LDAP attributes. Internally, the LdapFILTER search is combined with a search for the user (cn=login). The example below defines a DSN with the database sample and uses an encrypted LDAP connection to authorize users. The user must be a member of the group ODBC. The database is opened as the user "ODBC" and requires an encrypted connection. [LdapSampleDSN] LdapUri = ldaps://ldap.marxmeier.com LdapBase = cn=users,dc=marxmeier,dc=com #LdapFilter = (memberOf=cn=ODBC,cn=users,dc=marxmeier,dc=com) LdapTimeout = 1000 Database = sample Login = LDAP EnableWrite = full Encryption = 1 GroupWriteList = ODBC Platform dependencies: HP-UX: The HP-UX LDAP client is used to access the LDAP server. The HP-UX LdapUxClient product must be installed. This is part of the "J4269AA: LDAP-UX Client Services" bundle from the HP-UX application DVD or already installed as part of the HP-UX OE. SQLR was tested with LdapUxClient version B.04.15. To use an encrypted LDAP connection (ldaps protocol) a certificate database must be present (cert8.db and key3.db). Otherwise initializing the SSL connection will fail. A certificate database may be copied from a Mozilla Firefox installation or created using the certutil tool like in the example below: # cd /etc/opt/sqlr2/certs # /opt/ldapux/contrib/bin/certutil -d . -N # chown sqlr cert8.db key3.db secmod.db To use LDAP, the server process dynamically loads a libldap.sl (PA-RISC) or libldap.so (Itanium) library. The SQL/R specific lib directory has precedence in locating the library. The SHLIB_PATH and LD_LIBRARY_PATH environment variables may be used to select a specific library to be loaded. Otherwise the system default is used. Related documentation LDAP-UX Client Services B.04.15 Administrator's Guide: HP-UX 11i v1, v2 and v3 http://docs.hp.com/en/J4269-90090/index.html LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide: HP-UX 11i v1, v2, and v3 http://docs.hp.com/en/J4269-90084/index.html Using the Certificate Database Tool (mozilla.org) http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Linux: The OpenLDAP client is used to access the LDAP server. The openldap2-client package must be installed. To use LDAP, the server process dynamically loads a libldap.so library. The SQL/R specific lib directory has precedence in locating the library. The LD_LIBRARY_PATH environment variable may be used to select a specific library to be loaded. Otherwise the system default is used. Windows: The builtin winldap functionality is used to access the LDAP server. To use an encrypted LDAP connection (ldaps protocol) the server certificate must be imported. Otherwise an encrypted connection is not possible.