Enabling LDAP authentication

Configuring DataStax Enterprise to use an external LDAP server to enable LDAP authentication.

LDAP authentication is enabled by configuring DataStax Enterprise to use an external LDAP server.

Prerequisites

You must have a properly configured LDAP v3 server running. The supported LDAP servers are:

  • Microsoft Active Directory:
    • Windows 2008
    • Windows 2012
  • OpenLDAP 2.4.x
  • Oracle Directory Server Enterprise Edition 11.1.1.7.0

Procedure

  1. Open the cassandra.yaml file in a text editor and set the authenticator to com.datastax.bdp.cassandra.auth.LdapAuthenticator.
    The location of the cassandra.yaml file depends on the type of installation:
    Package installations /etc/dse/cassandra/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml 
    authenticator: com.datastax.bdp.cassandra.auth.LdapAuthenticator
  2. Open the dse.yaml file in a text editor and set the configuration for your LDAP server. The settings are only used if the authenticator is set to com.datastax.bdp.cassandra.auth.LdapAuthenticator in cassandra.yaml.
    Option Description
    server_host The host name of the LDAP server.
    server_port The port on which the LDAP server listens. The default value is 389.

    The default SSL port for LDAP is 636.
    search_dn The username of the user that is used to search for other users on the LDAP server.
    search_password The password of the search_dn user.
    use_ssl Set to true to enable SSL connections to the LDAP server. If set to true, you may need to change server_port to the SSL port of the LDAP server. The default value is false.
    use_tls Set to true to enable TLS connections to the LDAP server. If set to true, you may need to change the server_port to the TLS port of the LDAP server. The default value is false.
    truststore_path The path to the trust store for SSL certificates.
    truststore_password The password to access the trust store.
    truststore_type The type of trust store. The default value is jks.
    user_search_base The search base for your domain, used to look up users. Set the ou and dc elements for your LDAP domain. Typically this is set to ou=users,dc=domain,dc=top level domain. For example, ou=users,dc=example,dc=com.

    Active Directory uses a different search base, typically CN=search,CN=Users,DC=Active Directory domain name,DC=internal. For example, CN=search,CN=Users,DC=example-sales,DC=internal.
    user_search_filter The search filter for looking up usernames. The default setting is (uid={0}).

    When using Active Directory set the filter to (sAMAccountName={0}).
    search_validity_in_seconds The duration period in milliseconds for the search cache. To disable the cache, set it to 0. The cache is disabled by default.

    Enabling a search cache reduces the number of requests sent to the LDAP server, improving performance. Changes in user data on the LDAP server will not be reflected during the cache period, however.
    credentials_validity_in_ms The duration period in milliseconds for the credential cache. To disable the cache, set it to 0. The cache is disabled by default.

    With the cache enabled DataStax Enterprise will store the user credentials locally during the period set in credentials_validity_in_ms. Binding to a remote LDAP server takes time and resources, so enabling a credential cache will usually result in faster performance following the initial authentication phase. Changes in user credentials on the LDAP server, however, will not be reflected in DataStax Enterprise during the cache period.
    connection_pool The configuration settings for the connection pool for making LDAP requests.
    max_active The maximum number of active connections to the LDAP server. The default value is 8.
    max_idle The maximum number of idle connections in the pool awaiting requests. The default value is 8. 
    ldap_options:
    server_host: localhost
    server_port: 389
    search_dn: cn=Admin
    search_password: secret
    use_ssl: false
    use_tls: false
    truststore_path:
    truststore_password:
    truststore_type: jks
    user_search_base: ou=users,dc=example,dc=com
    user_search_filter: (uid={0})
    credentials_validity_in_ms: 0
    connection_pool:
        max_active: 8
        max_idle: 8
  3. Repeat these steps on each node in the cluster.