Defining an LDAP scheme
DataStax Enterprise supports LDAP for:
-
Authentication: DSE passes through the credentials to the configured LDAP.
-
Role management: DSE looks up the authenticated user and retrieves a list of LDAP groups and then matches LDAP group names to DSE role names.
DataStax Enterprise allows you to adjust the LDAP connection using the LDAP tuning switches. To debug LDAP connections enable logging, see Enabling authentication debug. |
All permissions granted to roles that reflect LDAP groups to which the user belongs – directly or indirectly – are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions. |
Prerequisites
Complete Enabling DSE Unified Authentication with the following options:
-
For authentication, ensure that
authentication_options.scheme:ldap
orauthentication_options.other_scheme:ldap
is set in the dse.yaml:authentication_options: ... scheme: ldap
-
For role management, ensure that
role_management_options.mode: ldap
is set in the dse.yaml:role_management_options: ... mode: ldap
Ensure that a supported LDAP v3 server is available. DataStax Enterprise supports:
-
Microsoft Active Directory:
-
Windows 2008
-
Windows 2012
-
-
OpenLDAP 2.4.x
-
Oracle Directory Server Enterprise Edition 11.1.1.7.0
Procedure
-
On every node configure the LDAP options in the dse.yaml.
For multi-datacenter support, use the nearest available LDAP host.
-
Configure the following options when using an LDAP scheme for authentication or role management:
Example of AD authentication minimum settings:
ldap_options: server_host: win2012ad_server.mycompany.lan server_port: 389 search_dn: cn=lookup_user,cn=users,dc=win2012domain,dc=mycompany,dc=lan search_password: lookup_user_password use_ssl: false use_tls: false hostname_verification: false truststore_path: <path/to/truststore> truststore_password: <passwordToTruststore> truststore_type: jks user_search_base: cn=users,dc=win2012domain,dc=mycompany,dc=lan user_search_filter: (sAMAccountName={0}) credentials_validity_in_ms: 0 search_validity_in_seconds: 0 connection_pool: max_active: 8 max_idle: 8
-
Configure all required settings:
Option Description server_host
Host name of the LDAP server.
server_port
Port on which the LDAP server listens. The default port for unencrypted connections is 389. The default SSL port for LDAP is 636.
search_dn
Distinguished name (DN) of an account with read access to the
user_search_base
andgroup_search_base
. Comment out to use an anonymous bind.search_password
Password of the
search_dn
user.user_search_base
Distinguished name (DN) of the object to start the recursive search for user entries for authentication and role management memberof searches. For example to search all users in example.com,
ou=users,dc=example,dc=com
.Active Directory uses a different search base, typicallyCN=search,CN=Users,DC=<ActDir_domname>,DC=internal
. For example,CN=search,CN=Users,DC=example,DC=internal
.user_search_filter
Attribute that identifies the user. The default setting is
(uid={0})
.When using Active Directory set the filter to(sAMAccountName={0})
. -
Configure optional settings:
Option Description use_ssl
Set to
true
to enable SSL connections to the LDAP server. If set totrue
, you might need to changeserver_port
to the SSL port of the LDAP server.The default value isfalse
.use_tls
Set to
true
to enable TLS connections to the LDAP server. If set totrue
, change theserver_port
to the TLS port of the LDAP server. The default value isfalse
.hostname_verification
Sets whether hostname verification occurs for SSL/TLS connections. Enabling the hostname verification check requires the following conditions:
-
Set
use_ssl
oruse_tls
totrue
. -
Set
truststore_path
so that it points to a valid truststore; meaning, the truststore has a certificate entry (trustedCertEntry
) that specifies a SAN DNSName entry matching thehostname
of the LDAP server. -
Set this
hostname_verification
property totrue
DSE throws a configuration exception ifhostname_verification
istrue
but the related conditions are not met. Default:false
truststore_path
The path to the truststore for SSL certificates.
truststore_password
The password to access the trust store.
truststore_type
The type of truststore. The default value is
jks
.credentials_validity_in_ms
The duration period in milliseconds for the credential cache.To disable the cache, set it to 0. The cache is disabled by default.With the cache enabled, DataStax Enterprise stores the user credentials locally during the specified time. Binding to a remote LDAP server takes time and resources, so enabling a credential cache usually results in faster performance following the initial authentication phase. Changes in user credentials on the LDAP server are not reflected in DataStax Enterprise during the cache period.
search_validity_in_seconds
The duration period in seconds for the search cache. To disable the cache, set it to 0. The cache is disabled by default.Enabling a search cache improves performance by reducing the number of requests that are sent to the LDAP server. Changes in user data on the LDAP server are not reflected during the cache period.
connection_pool
The configuration settings for the connection pool for making LDAP requests.
max_active
The maximum number of active connections to the LDAP server. The default value is 8.
max_idle
The maximum number of idle connections in the pool awaiting requests. The default value is 8.
-
-
-
For Role Management mode ldap, choose one of the following:
-
Option 1. Configure DSE to get a list of groups from an attribute of the user entry:
user_memberof_attribute: memberof group_search_type: memberof_search
memberof
is the name of the attribute that contains a list of groups in the default Microsoft Active Directory LDAP scheme. OpenLDAP does not have a member of attribute by default.Options for user attribute Option Setting Description user_memberof_attribute
memberof
Attribute that contains a list of group names; role manager assigns DSE roles that exactly match any in the list.
Unmatched groups are ignored.
group_search_type
memberof_search
Recursively search for user entries using the
user_search_base
anduser_search_filter
. -
Option 2. Configure DSE to search all group objects from the search base and return a list of groups that contain the user:
group_search_type: directory_search group_search_base: <DN> group_search_filter: (uniquemember={0}) group_name_attribute: <CN>
uniquemember
is the name of the attribute that contains a list of users in the default Microsoft Active Directory LDAP scheme for group.Options for group options Option Setting Description group_search_type
directory_search
Recursively search for group objects using the
group_search_base
.group_search_base
<DN>
Identifies the location that role manager starts the recursive check for groups that contain the user. For example to check all internal groups of example.com:
cn=internal ou=group,dc=example,dc=com
.group_search_filter
(uniquemember={0})
Attribute that matches the user name. In most LDAP services the attribute is
uniquemember
.group_name_attribute
cn
Attribute that contains the group name that role manager matches to a configured DSE role. Group name must match the DSE role name exactly including case.
Unmatched groups are ignored.
-
-
Perform a rolling restart to implement the changes.
When adding LDAP to and authentication enabled DSE environment, DataStax recommends setting up roles for LDAP users and groups before restarting.