Linux DSN Configuration
This section describes how to set up ODBC connectivity and configure DSNs on several Linux distributions: Debian-based systems, like Ubuntu, and Red Hat Linux platforms, like Red Hat Enterprise Linux (RHEL) and Fedora.
Minimum Linux Versions
Here are the minimum supported versions for Red Hat-based and Debian-based systems:
| OS | Min. Version |
| Ubuntu | 18.04 |
| Debian | 10 |
| RHEL | 8 |
| Fedora | 28 |
| SUSE | 15 |
Installing the Driver Dependencies
Run the following commands as root or with sudo to install the necessary dependencies:
- Debian/Ubuntu:
apt-get install libc6 libstdc++6 zlib1g libgcc1
- RHEL/Fedora:
yum install glibc libstdc++ zlib libgcc
Installing the Driver
You can use standard package management systems to install the driver.
On Debian-based systems, like Ubuntu, run the following command with root or sudo:
dpkg -i /path/to/driver/setup/CDSODBCDriverforUnix.deb
On systems that support the RPM package format, run the following command with root or sudo:
rpm -ivh /path/to/driver/CDSODBCDriverforUnix.rpm
Licensing the Driver
Run the following commands to license the driver. To activate a trial, omit the <key> input.
cd /opt/cdata/cdata-odbc-driver-for-cds/bin/
sudo ./install-license.sh <key>
Connecting through the Driver Manager
The driver manager loads the driver and passes function calls from the application to the driver. You need to register the driver with the driver manager and you define DSNs in the driver manager's configuration files.
The driver installation registers the driver with the unixODBC driver manager and creates a system DSN. The unixODBC driver manager can be used from Python and from many other applications. Your application may embed another driver manager.
Creating the DSN
See Using unixODBC to install unixODBC and configure DSNs. See Using the DataDirect Driver Manager to create a DSN to connect to OBIEE, Informatica, and SAS.
Schema
Microsoft Dataverse supports two values for the Schema property, System and Entities.
- System: uses the Web API to query entities and tables directly.
- Entities: uses the EntityDefinitions entity set path to retrieve metadata about EntityMetadata entities and tables. This typically provides more user-friendly names, but requires additional metadata requests.
Connecting to Microsoft Dataverse
To authenticate to the Microsoft Dataverse source, begin by setting the OrganizationURL property to the URL of the organization you are connecting to.
For example: https://[organization].crm.dynamics.com.
Entra ID (Azure AD)
Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".
The driver supports authentication to Microsoft Dataverse through OAuth 2.0, using Entra ID. The specific OAuth behavior depends on the value of the AuthScheme connection property, which determines the authentication flow used.
The following table outlines the relationship between AuthScheme, OAuth grant types, and typical use cases:
| AuthScheme | OAuth Grant Type | Use Case |
| AzureAD | Authorization Code | User login with browser interaction (desktop/web), or on a separate device in headless environments |
| AzureServicePrincipal | Client Credentials | Application-only access using client secret |
| AzureServicePrincipalCert | Client Credentials | Application-only access using certificate-based authentication |
| AzureMSI | Managed Identity | Azure-hosted apps/services using Azure's Managed Identity |
Authorization Code Flow for Desktop Applications
This flow is designed for scenarios that require user login through a browser.
CData provides an embedded OAuth application that simplifies OAuth desktop authentication using the Authorization Code grant type. Alternatively, you can create a custom OAuth application. See Creating an Entra ID (Azure AD) Application for information about creating custom applications. The only difference between these two approaches is that custom applications require you to set two additional connection properties during configuration.
After setting the following connection properties, you are ready to connect:
- OAuthClientId: (custom applications only) Set this to the client Id in your application settings.
- OAuthClientSecret: (custom applications only) Set this to the client secret in your application settings.
- CallbackURL: Set this to the Redirect URL in your application settings.
When you connect, the driver opens the OAuth authorization endpoint in your default browser. Log in and grant permissions to the application.
Authorization Code Flow for Headless Machines
A headless machine is one that does not have a browser interface. Because OAuth requires user interaction in a browser, you must perform the authentication on another machine that has one. After completing the authentication, transfer the credentials to the headless machine.
There are two supported options:
- Authenticate on another device and manually copy the verifier code.
- Complete authentication on another machine and transfer the saved OAuth settings file.
After completing either option, configure the driver to automatically refresh the access token on the headless machine.
Option 1: Obtain and Exchange a Verifier Code
Use another machine with a browser to generate the OAuth verifier code.
On a device with a browser, choose one of the following methods:
- Embedded OAuth Application:
The driver automatically generates and opens the OAuth authorization URL in your default browser. When the browser window appears, sign in with your Microsoft account and grant any requested permissions. After authentication, you are redirected to the callback URL, which includes a verifier code in the query string. Copy the value of the code parameter as this is your verifier code for the OAuthVerifier connection property.
- Custom OAuth Application:
Manually configure the following connection properties:
- InitiateOAuth: Set to OFF.
- OAuthClientId: Set to the client ID assigned to your registered application.
- OAuthClientSecret: Set to the client secret assigned to your registered application.
Then call the GetOAuthAuthorizationUrl stored procedure with the appropriate CallbackURL. Open the URL returned by the procedure in your browser, log in, and grant permissions to the application. You are redirected to the callback URL, which includes the verifier code in the query string. Copy the value of the code parameter as this is your verifier code.
Next: Exchange the Verifier Code for tokens
On the headless machine, set the following connection properties to exchange the verifier code for access and refresh tokens:
- InitiateOAuth: Set to REFRESH.
- OAuthVerifier: Set to the verifier code you obtained above.
- OAuthClientId: (custom applications only) Set to your registered client ID.
- OAuthClientSecret: (custom applications only) Set to your registered client secret.
- OAuthSettingsLocation: Set to the file path where the driver should store the token values.
After this exchange completes and the settings file is generated, reconfigure your connection as follows:
- InitiateOAuth: Set to REFRESH.
- OAuthClientId: (custom applications only) Set to your registered client ID.
- OAuthClientSecret: (custom applications only) Set to your registered client secret.
- OAuthSettingsLocation: Set to the location of the saved settings file. Ensure it is readable and writable by the driver so that tokens can be refreshed automatically.
Option 2: Transfer OAuth Settings
In this method, you complete the full OAuth flow on a browser-enabled machine, then transfer the resulting settings file to the headless machine.
- On the browser-enabled machine, set up the connection as described under Desktop Applications.
- After authentication, the driver saves the encrypted token values to the file specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.
- Test the connection to confirm the file works as expected, then copy the file to the headless machine.
On the headless machine, configure the connection as follows:
- InitiateOAuth: Set to REFRESH.
- OAuthClientId: (custom applications only) Set to your registered client ID.
- OAuthClientSecret: (custom applications only) Set to your registered client secret.
- OAuthSettingsLocation: Set to the path of the copied OAuth settings file. Ensure the file grants read/write permissions to the driver.
Client Credentials
Client credentials refers to a flow in OAuth where there is no direct user authentication taking place. Instead, credentials are created for just the app itself. All tasks taken by the application are done without a default user context. This makes the authentication flow a bit different from standard.Client OAuth Flow
All permissions related to the client oauth flow require admin consent. This means the app embedded with the CData ODBC Driver for Microsoft Dataverse cannot be used in the client oauth flow. You must create your own OAuth app in order to use client credentials. See Creating an Entra ID (Azure AD) Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions - Delegated and Application permissions. The permissions used during client credential authentication are under Application Permissions. Select the applicable permissions you require for your integration.
You are ready to connect after setting one of the below connection properties groups depending on the authentication type.
- Client Secret
- AuthScheme Set this to AzureServicePrincipal.
- InitiateOAuth: Set this to GETANDREFRESH. You can cuse InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
- AzureTenant: Set this to the tenant you wish to connet to.
- OAuthClientId: Set this to the Client Id in your app settings.
- OAuthClientSecret: Set this to the Client Secret in your app settings.
- Certificate
- AuthScheme Set this to AzureServicePrincipalCert.
- InitiateOAuth: Set this to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
- AzureTenant: Set this to the tenant you wish to connect to.
- OAuthClientId: Set this to the Client Id in your app settings.
- OAuthJWTCert: Set this to the JWT Certificate store.
- OAuthJWTCertType: Set this to the type of the certificate store specified by OAuthJWTCert.
Authentication with client credentials will take place automatically like any other connection, except there will be no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections will take place and be handled internally.
Azure Service Principal
Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".
Azure Service Principal is role-based application-based authentication. This means that authentication is done per application, rather than per user.
All tasks taken on by the application are executed without a default user context, but based on the assigned roles.
The application access to the resources is controlled through the assigned roles' permissions.
For information about how to set up Azure Service Principal authentication, see Creating a Service Principal App in Entra ID (AzureAD).
Managed Service Identity (MSI)
If you are running Microsoft Dataverse on an Azure VM and want to automatically obtain Managed Service Identity (MSI) credentials to connect, set AuthScheme to AzureMSI.
User-Managed Identities
To obtain a token for a managed identity, use the OAuthClientId property to specify the managed identity's client_id.If your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.
Refreshing OAuth Values
The driver can refresh the temporary OAuth access tokens obtained during the browser-based OAuth authentication exchange. By default, the driver saves the encrypted tokens in the odbc.ini file corresponding to the DSN. Access to this odbc.ini file can be restricted in the case of System DSNs.
To enable the automatic token exchange, you can give the driver write access to the system odbc.ini. Or, you can set the OAuthSettingsLocation connection property to an alternate file path, to which the driver would have read and write access.
OAuthSettingsLocation=/tmp/oauthsettings.txt
Installing Dependencies for OAuth Authentication
The OAuth authentication standard requires the authenticating user to interact with Microsoft Dataverse, using a web-browser. If the first OAuth interaction is to be done on the same machine the driver is installed on, for example, a desktop application, the driver needs access to the xdg-open program, which opens the default browser.
To satisfy this dependency, install the corresponding package with your package manager:
| Debian/Ubuntu Package | RHEL/Fedora Package | File |
| xdg-utils | xdg-utils | xdg-open |
Set the Driver Encoding
The ODBC drivers need to specify which encoding to use with the ODBC Driver Manager. By default, the CData ODBC Drivers for Unix are configured to use UTF-16 which is compatible with unixODBC, but other Driver Managers may require alternative encoding.
Alternatively, if you are using the ODBC driver from an application that uses the ANSI ODBC API it may be necessary to set the ANSI code page. For example, to import Japanese characters in an ANSI application, you can specify the code page in the config file '/opt/cdata/cdata-odbc-driver-for-cds/lib/cdata.odbc.cds.ini':
[Driver]
AnsiCodePage = 932