Defining an LDAP Scheme

DataStax Enterprise (DSE) supports LDAP for:

Authentication: DSE passes through the credentials to the configured LDAP.
Role management: DSE looks up the authenticated user and retrieves a list of LDAP groups and then matches LDAP group names to DSE role names.

Prerequisites

Locate the dse.yaml configuration file.
The location of the dse.yaml file depends on the type of installation:
- Package installations: /etc/dse/dse.yaml
- Tarball installations: INSTALL_DIRECTORY/resources/dse/conf/dse.yaml
On every node, you must configure the ldap-options in the dse.yaml file.
Enable DSE Unified Authentication:
1. Ensure that authentication_options.scheme:ldap or authentication_options.other_scheme:ldap is set in the dse.yaml file:
  authentication_options: ... scheme: ldap
2. Ensure that role_management_options.mode: ldap is set in the dse.yaml file:
  role_management_options: ... mode: ldap
Prepare a supported LDAP v3 server:
- Microsoft Active Directory (AD) Windows 2008 and Windows 2012
- OpenLDAP 2.4.x
- Oracle Directory Server Enterprise Edition 11.1.1.7.0

General LDAP settings for authentication and role management modes

Configure general LDAP settings when using an LDAP scheme for authentication, role management, or both.

The following example includes minimum settings for AD authentication:

ldap_options:
    server_host: win2012ad_server.mycompany.lan
    server_port: 389
    search_dn: cn=lookup_user,cn=users,dc=win2012domain,dc=mycompany,dc=lan
    search_password: lookup_user_password
    use_ssl: false
    use_tls: false
    hostname_verification: false
    truststore_path: <path/to/truststore>
    truststore_password: <passwordToTruststore>
    truststore_type: jks
    user_search_base: cn=users,dc=win2012domain,dc=mycompany,dc=lan
    user_search_filter: (sAMAccountName={0})

    credentials_validity_in_ms: 0
    search_validity_in_seconds: 0
    connection_pool:
        max_active: 8
        max_idle: 8

General LDAP settings
Option	Required or Optional	Description
server_host	Required	Host name of the LDAP server. For multi-datacenter support, use the nearest available LDAP host.
server_port	Required	Port on which the LDAP server listens. The default port for unencrypted connections is 389. The default SSL port for LDAP is 636.
search_dn	Required	Distinguished name (DN) of an account with read access to the `user_search_base` and `group_search_base`. Comment out to use an anonymous bind.
search_password	Required	Password of the `search_dn` user.
user_search_base	Required	Distinguished name (DN) of the object to start the recursive search for user entries for authentication and role management `memberof` searches. For example, to search all users in `example.com`: `ou=users,dc=example,dc=com`. Active Directory uses a different search base, which is typically in the format of `CN=search,CN=Users,DC=<ActDir_domname>,DC=internal`. For example, `CN=search,CN=Users,DC=example,DC=internal`.
user_search_filter	Required	Attribute that identifies the user. The default setting is `(uid={0})`. When using Active Directory set the filter to `(sAMAccountName={0})`.
use_ssl	Optional	Set to `true` to enable SSL connections to the LDAP server. If set to `true`, you might need to change `server_port` to the SSL port of the LDAP server. The default value is `false`.
use_tls	Optional	Set to `true` to enable TLS connections to the LDAP server. If set to `true`, change the `server_port` to the TLS port of the LDAP server. The default value is `false`.
hostname_verification	Optional	Sets whether hostname verification occurs for SSL/TLS connections. The default value is `false`. To enable the hostname verification check, you must set all of the following: `use_ssl` or `use_tls` must be `true`. `truststore_path` must point to a truststore that has a certificate entry (`trustedCertEntry`), which enables verification of the certificate of the remote host. The certificate of the remote host has the Canonical Name (CN) or Subject Alternate Name (SAN) DNSName entry that matches the `server_host` configuration parameter. `hostname_verification` must be set to `true`. DSE throws a configuration exception if `hostname_verification` is `true` but the related configurations are missing or invalid.
truststore_path	Optional	The path to the truststore for SSL certificates.
truststore_password	Optional	The password to access the trust store.
truststore_type	Optional	The type of truststore. The default value is `jks`.
credentials_validity_in_ms	Optional	The duration period in milliseconds for the credential cache. The default value is `0`, which disables the credential cache. If enabled, DSE stores user credentials locally for the specified time. Binding to a remote LDAP server takes time and resources, therefore enabling a credential cache usually results in faster performance following the initial authentication phase. Changes in user credentials on the LDAP server are not reflected in DSE during the cache period.
search_validity_in_seconds	Optional	The duration period in seconds for the search cache. The default value is `0`, which disables the search cache. Enabling a search cache improves performance by reducing the number of requests that are sent to the LDAP server. Changes in user data on the LDAP server are not reflected during the cache period.
connection_pool	Optional	The configuration settings for the connection pool for making LDAP requests.
max_active	Optional	The maximum number of active connections to the LDAP server. The default value is `8`.
max_idle	Optional	The maximum number of idle connections in the pool awaiting requests. The default value is `8`.

LDAP settings for Role Management mode

There are two options for configuring LDAP for role management:

Get groups from user attribute

Configure DSE to get a list of groups from an attribute of the user entry:

    user_memberof_attribute: memberof
    group_search_type: memberof_search

Options for user attributes
Option	Value	Description
user_memberof_attribute	memberof	Attribute that contains a list of group names; role manager assigns DSE roles that exactly match any in the list. `memberof` is the name of the attribute that contains a list of groups in the default Microsoft Active Directory LDAP scheme. OpenLDAP does not have a member of attribute by default. Unmatched groups are ignored.
group_search_type	memberof_search	Recursively search for user entries using the `user_search_base` and `user_search_filter`.

Search all group objects

Configure DSE to search all group objects from the search base and return a list of groups that contain the user:

    group_search_type: directory_search
    group_search_base: <DN>
    group_search_filter: (uniquemember={0})
    group_name_attribute: <CN>

Options for group objects
Option	Value	Description
group_search_type	directory_search	Recursively search for group objects using the `group_search_base`.
group_search_base	<DN>	Identifies the location that role manager starts the recursive check for groups that contain the user. For example, to check all internal groups of `example.com`: `cn=internal ou=group,dc=example,dc=com`.
group_search_filter	`(uniquemember={0})`	Attribute that matches the user name. In most LDAP services the attribute is `uniquemember`. In the default Microsoft Active Directory LDAP scheme for a group, `uniquemember` is equivalent to the attribute that contains a list of users.
group_name_attribute	cn	Attribute that contains the group name that role manager matches to a configured DSE role. Group name must match the DSE role name exactly, including case. Unmatched groups are ignored.

Create roles and restart DSE

If you are adding LDAP to an authentication-enabled DSE environment, DataStax recommends setting up roles for LDAP users and groups before restarting.
Perform a rolling restart to implement the LDAP configuration changes.

Defining an LDAP Scheme

Prerequisites

General LDAP settings for authentication and role management modes

LDAP settings for Role Management mode

Create roles and restart DSE

Was this helpful?

Give Feedback