Dynamically set LDAP Authenticator Connection Search Password

With LDAP enabled on your nodes, you can dynamically set a new value for the DSE LdapAuthenticator bean’s ConnectionSearchPassword attribute — without having to change static configuration in dse.yaml or system properties — by using a JMX console at runtime.

Prerequisites

If you haven’t already, enable LDAP.

In cassandra.yaml, verify that DSE Unified Authentication and Authorization features are configured. The following settings are defined by default.

  • Verify that authenticator is set to DseAuthenticator in cassandra.yaml.

    authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator

  • Verify that authorizer is set to DseAuthorizer in cassandra.yaml.

    authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer

  • Verify that role_manager is set to DseRoleManager in cassandra.yaml.

    role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager

In dse.yaml, verify that LDAP has been enabled via the definition of an LDAP Scheme.

If you haven’t already, after any updates in cassandra.yaml and dse.yaml (to enable LDAP), restart DSE on all nodes. See Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.

Procedure via a JMX console

With LDAP enabled and DSE running, use a JMX console to navigate to the LdapAuthenticator bean. This example uses JConsole.

  1. In JConsole, connect to the running DSE process, com.datastax.bdp.DseModule. Example:

    The initial Connection screen in JConsole

  2. On the Mbeans tab, under com.datastax.bdp.core, navigate to the LdapAuthenticator bean. The ObjectName is com.datastax.bdp:type=core,name=LdapAuthenticator, and the interfaceClassName is com.datastax.bdp.cassandra.auth.LdapUtilsMXBean.

    The LdapAuthenticator bean on the MBeans tab of a running JConsole session

  3. Open the Attributes pane and enter a new password for ConnectionSearchPassword. Click into the Value column for the attribute. Example:

    Setting a new ConnectionSearchPassword attribute’s value in JConsole

    Never use passwords from documentation examples in your environment.

  4. Click Refresh. (The entered value is not displayed.)

  5. Result: the new ConnectionSearchPassword password is dynamically activated and used by the DSE LDAP Authenticator.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com