Configuring LDAP authentication
Steps for configuring DSE to use an external LDAP server to enable LDAP authentication.
LDAP authentication is enabled by configuring DataStax Enterprise to use an external LDAP server. When using LDAP authentication, use DataStax recommends using the DSE Role Manager with LDAP roles.
The following rules apply when LDAP groups are used:
- Each LDAP user must map to an LDAP group.
- Each LDAP group must be mapped to an internal Cassandra role that was
created with the CREATE ROLE command. Roles in LDAP are case sensitive. Cassandra roles are created with lower case. To retain the case of LDAP groups when you create the Cassandra role, use single quotation marks. For example, to create the Admin group:
Otherwise,CREATE ROLE 'Admin'
CREATE ROLE Admin
creates the lower case admin role. - Each role must have the appropriate login privileges.
- Any users mapped to the LDAP group can authenticate with the cluster.
The
location of the cassandra.yaml file
depends on the type of installation:
Installer-Services | /etc/dse/cassandra/cassandra.yaml |
Package installations | /etc/dse/cassandra/cassandra.yaml |
Installer-No Services | install_location/resources/cassandra/conf/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
The location of
the dse.yaml file depends
on the type of installation:
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |
Prerequisites
You must have a properly configured LDAP v3 server running. The supported LDAP servers are:
- Microsoft Active Directory:
- Windows 2008
- Windows 2012
- OpenLDAP 2.4.x
- Oracle Directory Server Enterprise Edition 11.1.1.7.0