Enabling LDAP authentication
Configuring DataStax Enterprise to use an external LDAP server to enable LDAP authentication.
LDAP authentication is enabled by configuring DataStax Enterprise to use an external LDAP server.
Prerequisites
You must have a properly configured LDAP v3 server running. The supported LDAP servers are:
- Microsoft Active Directory:
- Windows 2008
- Windows 2012
- OpenLDAP 2.4.x
- Oracle Directory Server Enterprise Edition 11.1.1.7.0
Procedure
-
Open the cassandra.yaml file in a text editor
and set the
authenticator
to com.datastax.bdp.cassandra.auth.LdapAuthenticator.The location of the cassandra.yaml file depends on the type of installation:Package installations /etc/dse/cassandra/cassandra.yaml Tarball installations install_location/resources/cassandra/conf/cassandra.yaml The location of the dse.yaml file depends on the type of installation:Installer-Services /etc/dse/dse.yaml Package installations /etc/dse/dse.yaml Installer-No Services install_location/resources/dse/conf/dse.yaml Tarball installations install_location/resources/dse/conf/dse.yaml authenticator: com.datastax.bdp.cassandra.auth.LdapAuthenticator
-
Open the dse.yaml file in a text editor and
set the configuration for your LDAP server. The settings are only used if the
authenticator is set to
com.datastax.bdp.cassandra.auth.LdapAuthenticator in
cassandra.yaml.
Option Description server_host The host name of the LDAP server. server_port The port on which the LDAP server listens. The default value is 389. The default SSL port for LDAP is 636.
search_dn The username of the user that is used to search for other users on the LDAP server. search_password The password of the search_dn
user.use_ssl Set to true
to enable SSL connections to the LDAP server. If set totrue
, you may need to changeserver_port
to the SSL port of the LDAP server. The default value isfalse
.use_tls Set to true
to enable TLS connections to the LDAP server. If set totrue
, you may need to change theserver_port
to the TLS port of the LDAP server. The default value isfalse
.truststore_path The path to the trust store for SSL certificates. truststore_password The password to access the trust store. truststore_type The type of trust store. The default value is jks
.user_search_base The search base for your domain, used to look up users. Set the ou
anddc
elements for your LDAP domain. Typically this is set toou=users,dc=domain,dc=top level domain
. For example,ou=users,dc=example,dc=com
.Active Directory uses a different search base, typically
CN=search,CN=Users,DC=Active Directory domain name,DC=internal
. For example,CN=search,CN=Users,DC=example-sales,DC=internal
.user_search_filter The search filter for looking up usernames. The default setting is (uid={0})
.When using Active Directory set the filter to
(sAMAccountName={0})
.search_validity_in_seconds The duration period in milliseconds for the search cache. To disable the cache, set it to 0. The cache is disabled by default. Enabling a search cache reduces the number of requests sent to the LDAP server, improving performance. Changes in user data on the LDAP server will not be reflected during the cache period, however.
credentials_validity_in_ms The duration period in milliseconds for the credential cache. To disable the cache, set it to 0. The cache is disabled by default. With the cache enabled DataStax Enterprise will store the user credentials locally during the period set in
credentials_validity_in_ms
. Binding to a remote LDAP server takes time and resources, so enabling a credential cache will usually result in faster performance following the initial authentication phase. Changes in user credentials on the LDAP server, however, will not be reflected in DataStax Enterprise during the cache period.connection_pool The configuration settings for the connection pool for making LDAP requests. max_active The maximum number of active connections to the LDAP server. The default value is 8. max_idle The maximum number of idle connections in the pool awaiting requests. The default value is 8. ldap_options: server_host: localhost server_port: 389 search_dn: cn=Admin search_password: secret use_ssl: false use_tls: false truststore_path: truststore_password: truststore_type: jks user_search_base: ou=users,dc=example,dc=com user_search_filter: (uid={0}) credentials_validity_in_ms: 0 connection_pool: max_active: 8 max_idle: 8
- Repeat these steps on each node in the cluster.