To enable authentication and authorization, edit
/opt/gpudb/core/etc/gpudb.conf and set the following properties:
true - need authentication through username/password or LDAP, no
anonymous loginfalse - authentication is allowed, but non-authenticated users will be
logged in as anonymous (default)true - enforce authorization permissionsfalse - no restrictions (default)LDAP integration with Kinetica is accomplished through an Apache httpd
proxy. This proxy comes packaged with Kinetica and can be found in
/opt/gpudb/httpd. The OpenLDAP LDAP server daemon (slapd)
is also included in this directory. There is a preconfigured httpd to work
with this instance of slapd. To use an existing LDAP, the
Location section of the
/opt/gpudb/httpd/conf/httpd/httpd.conf file needs to be modified. Since
this portion is controlled by Apache httpd, not Kinetica, see the
Apache documentation for further
details.
The included version of OpenLDAP can be started & initialized manually, using the commands:
$ sudo /opt/gpudb/httpd/gpudb-openldap.sh start
$ /opt/gpudb/httpd/openldap/openldap-init.sh
Note: Only run /opt/gpudb/httpd/openldap/openldap-init.sh once, the
first time OpenLDAP is started.
Once connected to an LDAP server, LDAP users can be used for all Kinetica administration. First, a user with administrative permissions will need to be created within Kinetica that can be tied to an LDAP user.
To do this:
admin / admin by default). If authentication has not yet been
enabled, the username and password can be left blank.@. This marks the user as an external
LDAP userNote: Although LDAP users are created with the username @<username>,
they will log in with their regular username, without the @.