Define an LDAP scheme

Hyper-Converged Database (HCD) supports LDAP for:

Authentication: HCD passes through the credentials to the configured LDAP.
Role management: HCD looks up the authenticated user and retrieves a list of LDAP groups and then matches LDAP group names to HCD role names.

Prerequisites

Locate the cassandra.yaml configuration file. The location of this file depends on your installation type.
- Package installations
- Tarball installations
/etc/hcd/cassandra/cassandra.yaml
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml
Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
Complete Enabling HCD Unified Authentication with the following options:
- For authentication, ensure that authenticator.parameters.default_scheme: ldap or authenticator.parameters.additional_schemes: ldap is set in the cassandra.yaml file:
  authenticator: class_name: com.datastax.cassandra.auth.AdvancedAuthenticator parameters: ... scheme: ldap
- For role management, ensure that role_management_options.mode: ldap is set in the cassandra.yaml file:
  role_management_options: ... mode: ldap
Ensure that a supported LDAP v3 server is available.

HCD supports:
- Microsoft Active Directory (AD):
  - Windows 2008
  - Windows 2012
- OpenLDAP 2.4.x
- Oracle Directory Server Enterprise Edition 11.1.1.7.0

Procedure

On every node configure the LDAP options in the cassandra.yaml file under the authenticator.parameters section.

For multi-datacenter support, use the nearest available LDAP host.

Configure the following options when using an LDAP scheme for authentication or role management:

Example of AD authentication minimum settings:

ldap_options:
    server_host: win2012ad_server.mycompany.lan
    server_port: 389
    search_dn: cn=lookup_user,cn=users,dc=win2012domain,dc=mycompany,dc=lan
    search_password: lookup_user_password
    use_ssl: false
    use_tls: false
    hostname_verification: false
    truststore_path: <path/to/truststore>
    truststore_password: <passwordToTruststore>
    truststore_type: jks
    user_search_base: cn=users,dc=win2012domain,dc=mycompany,dc=lan
    user_search_filter: (sAMAccountName={0})

    credentials_validity_in_ms: 0
    search_validity_in_seconds: 0
    connection_pool:
        max_active: 8
        max_idle: 8

Configure all required settings:

Required LDAP settings
Option	Description
`server_host`	Host name of the LDAP server.
`server_port`	Port on which the LDAP server listens. The default port for unencrypted connections is 389. The default SSL port for LDAP is 636.
`search_dn`	Distinguished name (DN) of an account with read access to the `user_search_base` and `group_search_base`. Comment out to use an anonymous bind.
search_password	Password of the `search_dn` user.
`user_search_base`	Distinguished name (DN) of the object to start the recursive search for user entries for authentication and role management memberof searches. For example, to search all users in example.com, `ou=users,dc=example,dc=com`. Active Directory uses a different search base, typically `CN=search,CN=Users,DC=<ActDir_domname>,DC=internal`. For example, `CN=search,CN=Users,DC=example,DC=internal`.
`user_search_filter`	Attribute that identifies the user. The default setting is `(uid={0})`.When using Active Directory set the filter to `(sAMAccountName={0})`.

Configure optional settings:

Optional LDAP settings
Option	Description
`use_ssl`	Set to `true` to enable SSL connections to the LDAP server. If set to `true`, you might need to change `server_port` to the SSL port of the LDAP server.The default value is `false`.
use_tls	Set to `true` to enable TLS connections to the LDAP server. If set to `true`, change the `server_port` to the TLS port of the LDAP server. The default value is `false`.
`hostname_verification`	Sets whether hostname verification occurs for SSL/TLS connections. Enabling the hostname verification check requires the following conditions: Set `use_ssl` or `use_tls` to `true`. Set `truststore_path` so that it points to a valid truststore. A valid truststore has a certificate entry (`trustedCertEntry`), enabling verification of the certificate of the remote host. The certificate of the remote host has the Canonical Name (CN) or Subject Alternate Name (SAN) DNSName entry that matches the `server_host` configuration parameter. Set this `hostname_verification` property to `true` HCD throws a configuration exception if `hostname_verification` is `true` but the related conditions are not met. Default: `false`
`truststore_path`	The path to the truststore for SSL certificates.
`truststore_password`	The password to access the trust store.
`truststore_type`	The type of truststore. The default value is `jks`.
credentials_validity_in_ms	The duration period in milliseconds for the credential cache.To disable the cache, set it to `0`. The cache is disabled by default. With the cache enabled, HCD stores the user credentials locally during the specified time. Binding to a remote LDAP server takes time and resources, therefore enabling a credential cache usually results in faster performance following the initial authentication phase. Changes in user credentials on the LDAP server are not reflected in HCD during the cache period.
`search_validity_in_seconds`	The duration period in seconds for the search cache. To disable the cache, set it to `0`. The cache is disabled by default. Enabling a search cache improves performance by reducing the number of requests that are sent to the LDAP server. Changes in user data on the LDAP server are not reflected during the cache period.
`connection_pool`	The configuration settings for the connection pool for making LDAP requests.
`max_active`	The maximum number of active connections to the LDAP server. The default value is `8`.
`max_idle`	The maximum number of idle connections in the pool awaiting requests. The default value is `8`.

For Role Management mode ldap, choose one of the following:

Option 1. Configure HCD to get a list of groups from an attribute of the user entry:

    user_memberof_attribute: memberof
    group_search_type: memberof_search

memberof is the name of the attribute that contains a list of groups in the default Microsoft Active Directory LDAP scheme. OpenLDAP does not have a member of attribute by default.

Option Setting Description

user_memberof_attribute

memberof

Attribute that contains a list of group names; role manager assigns HCD roles that exactly match any in the list.

Unmatched groups are ignored.

group_search_type

memberof_search

Recursively search for user entries using the user_search_base and user_search_filter.

Option 2. Configure HCD to search all group objects from the search base and return a list of groups that contain the user:

    group_search_type: directory_search
    group_search_base: <DN>
    group_search_filter: (uniquemember={0})
    group_name_attribute: <CN>

uniquemember is the name of the attribute that contains a list of users in the default Microsoft Active Directory LDAP scheme for group.

Option Setting Description

group_search_type

directory_search

Recursively search for group objects using the group_search_base.

group_search_base

DN

Identifies the location that role manager starts the recursive check for groups that contain the user. For example, to check all internal groups of example.com: cn=internal ou=group,dc=example,dc=com.

group_search_filter

(uniquemember={0})

Attribute that matches the user name. In most LDAP services the attribute is uniquemember.

group_name_attribute

CN

Attribute that contains the group name that role manager matches to a configured HCD role. Group name must match the HCD role name exactly, including case.

Unmatched groups are ignored.

Perform a rolling restart to implement the changes.

When adding LDAP to and authentication enabled HCD environment, DataStax recommends setting up roles for LDAP users and groups before restarting.

Define an LDAP scheme

Prerequisites

Procedure

Was this helpful?

Give Feedback