• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Enterprise OpsCenter 6.8

    • About OpsCenter
      • New features
      • Key features
      • Labs features
        • Exporting and importing dashboard presets
        • Adding a Swift CLI backup location
        • Configuring named route linking
        • Viewing logs from node details
      • Architecture overview
      • OpsCenter policy for DDAC and OSS
      • Feedback about OpsCenter
    • Release notes
    • Installing OpsCenter
    • Upgrading OpsCenter
    • OpsCenter recommended settings
      • OpsCenter basic configurations
      • Cluster synchronization settings
      • Backup Service settings
      • Knowledge Base articles
    • Configuring OpsCenter
      • OpsCenter Security
        • OpsCenter SSL overview
          • Enabling/Disabling HTTPS for the OpsCenter server
          • Configuring SSL/TLS between OpsCenter and the DataStax Agents
          • Connect to DSE with client-to-node encryption in OpsCenter and the DataStax Agents
          • Editing/OpsCenter cluster connections for authentication or encryption
          • SSL configuration options for OpsCenter
        • Configuring OpsCenter role-based security
        • Encrypting sensitive configuration values
          • Activating configuration encryption
          • Creating a system key to encrypt sensitive configuration values
          • Manually encrypting a configuration value
          • Deactivating configuration encryption
        • Authenticating with LDAP
          • Configuring LDAP
          • Adding a role for an LDAP user
          • Troubleshooting OpsCenter LDAP
        • Kerberos authentication
          • Configuring OpsCenter for Kerberos authentication
          • OpsCenter Kerberos configuration options
          • Troubleshooting Kerberos in OpsCenter
        • Configuring security logging
      • Configuring alerts for events
        • SNMP alerts overview
          • Enabling SNMP alerts
        • Enabling SMTP email alerts
        • Enabling alerts posted to a URL
          • Verifying that events are posting correctly
          • Posting URL alerts to a Slack channel
      • Configuring data collection and expiration
        • Controlling data collection
        • Storing collection data on a separate cluster
      • OpsCenter DSE definitions files updates
        • Updating and configuring definitions files properties
      • Automatic failover overview
        • Enabling automatic failover
        • Failover configuration options reference
      • Backing up critical configuration data
      • Configuring named route linking
      • Configuring the OpsCenter JVM
      • Configuring the DataStax Agent JVM
        • Setting and securing the tmp directory for the DataStax Agent
        • Encrypting JMX communications
      • Changing the replication strategy for the OpsCenter keyspace
      • Configuration files for OpsCenter
        • OpsCenter configuration properties
          • Statistics reporter properties
        • Cluster configuration properties
          • Cassandra connection properties
          • Metrics Collection Properties
        • DataStax Agent configuration
        • OpsCenter logback.xml configuration
      • Customize scripts for starting and stopping DataStax Enterprise
      • Example configuration scenarios
        • Configuring for multiple regions
        • Configuring for very large clusters
    • Using OpsCenter
      • OpsCenter workspace overview
        • Ring View
        • List View
        • DataStax Agents Status View
        • Nodes Detail View
          • Node management operations
      • Configuring alerts
        • Adding an alert for agent issues
          • Troubleshooting DataStax Agent Issues
        • Adding an alert for down nodes
        • Configuring an alert for KMIP errors
        • Configuring an alert for percentage of in-memory usage
        • Configuring an alert for percentiles
      • Monitoring node operations
        • Viewing the Spark Console
        • Monitoring in-memory usage
        • Viewing logs from node details
      • Managing and maintaining nodes
        • Running cleanup
        • Performing garbage collection
        • Running compaction
        • Flushing tables
        • Decommission a node
        • Draining a node
        • Moving a node
        • Running a manual repair
        • Configure an alias for a node
      • Starting and stopping DSE
        • Starting DSE on a node
        • Stopping DSE on a node
        • Restarting DSE on a node
      • Managing keyspaces and tables
        • Keyspaces
          • Managing a keyspace
          • Managing tables
        • Browsing data deprecated
      • Cluster administration
        • Adding an existing cluster
        • Disconnecting a cluster from OpsCenter and Lifecycle Manager
        • Rebalancing a cluster overview
          • Rebalancing a cluster
          • Configuring an alert for rebalancing a cluster
        • Restarting a cluster
        • Changing the display name of a cluster
        • Downloading diagnostic data
          • Diagnostic tarball reference
          • Creating an alternate directory for diagnostic information
        • Downloading Insights diagnostic data
        • Generating a cluster report
      • OpsCenter Metrics Tooltips Reference
        • Dashboard performance metrics
        • Performance metrics overview
          • Working with metrics performance graphs
          • Organizing performance metrics presets
          • Exporting and importing dashboard presets
        • Cluster performance metrics
        • Pending task metrics
          • Pending task metrics for writes
          • Pending task metrics for reads
          • Pending task metrics for cluster operations
        • Table performance metrics
        • Tiered storage performance metrics
          • Configuring tiered storage metric graphs
          • Configuring tiered storage alerts
        • Message latency metrics
          • Adding dashboard graphs for datacenter and node messaging latency
          • Adding alerts for DC and node message latency
        • Search performance metrics
        • Graph metrics
        • NodeSync metrics
        • Thread Pool (TP) metrics
          • Viewing TP stats in Node Details
          • Enabling network backpressure
        • Dropped Messages metrics
        • Operating system performance metrics
        • Alert metrics
          • Advanced system alert metrics
    • OpsCenter 6.8 Reference
      • OpsCenter ports reference
      • Installation and configuration locations
        • Default file locations for package installations
        • Default file locations tarball installations
      • Starting, stopping, and restarting OpsCenter
        • Startup log for OpsCenter
      • Stopping, starting, and restarting DataStax Agents
    • DSE Management Services
      • Backup Service
        • Quick Video Tour: Backup Service
        • Adding a backup location
          • Adding a local file system backup location
          • Adding an Amazon S3 backup location
          • Adding an Azure backup location
        • Backing up data
          • Backing up a cluster
          • Backing up to Amazon S3
          • Backing up and restoring DataStax Graphs in OpsCenter
          • Viewing backup and restore history
          • Synchronizing backup data after an upgrade
          • Deleting backup data
        • Restoring a cluster
          • Restoring from a backup
          • Restoring a backup to a specific point-in-time
          • Monitoring sufficient disk space for restoring backups
        • Cloning cluster data
          • Cloning cluster data from a defined other location
          • Cloning cluster data from clusters managed by the same OpsCenter instance
        • Configuring the Backup Service
          • Configuring commit log backups
          • Configuring the free disk space threshold for backups
          • Configuring encryption key storage for backups
          • Configuring custom scripts to run before and after backups
          • Configuring restore to continue after a download failure
          • Backup Service configuration options
        • Troubleshooting Backup Service errors
      • NodeSync Service
        • Enabling NodeSync
        • Configuring the NodeSync refresh data interval
        • Viewing NodeSync Status
        • Configuring the NodeSync rate using LCM
        • NodeSync metrics
      • Repair Service
        • Repair Service overview
          • Subrange repairs overview
          • Distributed subrange overview
          • Incremental repairs overview
          • Repair Service behavior during environment changes
          • Estimating remaining repair time
        • Turning the Repair Service on
        • Turning the Repair Service off
        • Viewing repair status
        • Basic repair configuration
          • Configuring incremental repairs
          • Excluding keyspaces or tables from subrange repairs
          • Enabling distributed subrange repairs
          • Logging for the Repair Service
          • Basic Repair Service configuration reference
        • Advanced repair configuration
          • Adjusting or disabling the throttle for subrange repairs
          • Running validation compaction sequentially
          • Advanced Repair Service configuration reference
        • Expert repair configuration
          • Setting the maximum for parallel subrange repairs
          • Expert Repair Service configuration reference
          • Tuning Repair Service for multi-datacenter environments
        • Expedited Repair Service configuration
        • Troubleshoot Repair Service errors
        • Learn more about repairs
      • Capacity Service
        • Forecasting trends for metric graphs
        • Advanced forecast configuration
      • Best Practice Service
        • Configuring Best Practice service rules
        • Monitoring the results of Best Practice service scans
        • Best Practice Rules Reference
      • Performance Service
        • Performance Service Overview
        • Why use the OpsCenter Performance Service?
        • Enabling the OpsCenter Performance Service
        • Disabling the OpsCenter Performance Service
        • Setting permissions for the OpsCenter Performance Service
        • Tuning a database cluster with the Performance Service
          • Identifying and tuning slow queries
    • Identifying poorly performing tables
    • Monitoring node thread pool statistics
    • Troubleshooting OpsCenter
    • Lifecycle Manager
      • Overview of Lifecycle Manager
        • Supported capabilities
        • Defining the topology
        • Using configuration profiles
        • Defining repositories
        • Running jobs in LCM
          • Job types in LCM
          • Job concurrency in LCM
        • Monitoring job status
      • Installing DSE using LCM
        • Accessing OpsCenter Lifecycle Manager
        • Creating custom data directories
        • Adding SSH credentials
        • Adding a configuration profile
        • Adding a repository
        • Defining the cluster topology
          • Adding a cluster
          • Adding a datacenter
          • Adding a node
        • Running an installation job
        • Viewing job details
        • Using LCM in an offline environment
          • Required software for offline DSE installs
          • Downloading DSE in an offline environments
      • Managing SSH credentials
        • Adding SSH credentials
        • Editing SSH credentials
        • Deleting SSH credentials
        • Configuring SSH connection thresholds for LCM jobs
      • Managing configuration profiles
        • Adding a configuration profile
        • Editing a configuration profile
        • Customizing configuration profile files
        • Cloning a configuration profile
        • Deleting a configuration profile
        • Configuring an HTTP or HTTPS proxy
      • Configuring repositories
        • Adding a repository
        • Editing a repository
        • Deleting a repository
      • Defining DSE topologies
        • Managing cluster topologies
          • Adding a cluster
          • Editing a cluster
          • Deleting a cluster
          • Importing a cluster topology
        • Managing datacenter topologies
          • Adding a datacenter
          • Editing a datacenter
          • Deleting a datacenter
        • Managing node topologies
          • Adding a node
          • Editing a node
          • Deleting a node
      • Running LCM jobs
        • Running an installation job
        • Running an configure job
        • Running an upgrade job
          • Example: Upgrading DSE to a minor release using LCM
        • Aborting a job
        • Adjusting idle timeout
      • Configuring Java options
        • Choosing a Java vendor in LCM
        • Managing Java installs
        • Configuring JVM options for DSE using LCM
      • Configuring DSE security using LCM
        • Native transport authentication schemes and limitations in LCM
          • Configuring row-level access control
        • Configuring SSL/TLS for DSE
        • Configuring a JMX Connection to DSE
      • Lifecycle Manager configuration options
      • Configuration known issues and limitations
      • Using advanced configurations with LCM
        • Exporting metrics collection
        • Configuring AlwaysOn SQL
        • Configuring DSE Graph
        • Configuring the NodeSync rate
        • Configuring tiered storage
    • OpsCenter API reference for developers
      • Enable and access the Datastax Agent API
      • Authentication
      • OpsCenter configuration
      • Retrieving cluster and node information
      • Performing Cluster Operations
      • Managing Keyspaces and Tables
      • Retrieving Metric Data
      • Managing Events and Alerts
      • Schedule management
      • Backup Management and Restoring from Backups
      • Best Practice Rules
      • Hadoop
      • Spark
      • Managing Performance Service Configuration
      • User Interface
      • Agent Install and Status
      • Cluster Lifecycle Management
      • DataStax Agent API example curl commands
  • DataStax Enterprise OpsCenter 6.8
  • Configuring OpsCenter
  • OpsCenter Security
  • Authenticating with LDAP
  • Configuring LDAP

Configuring LDAP

Configure LDAP (Lightweight Directory Access Protocol) for users accessing OpsCenter.

LDAP configuration is extremely flexible with many configuration options possible within OpsCenter. To peruse all of the available [ldap] configuration options, see OpsCenter configuration properties. This procedure provides a basic configuration example to authenticate a user based on searching for a user in both user and group categories.

Prerequisites

There must be a properly configured LDAP v3 server running. The supported LDAP servers are:

  • Microsoft Active Directory:

    • Windows 2008

    • Windows 2012

  • OpenLDAP 2.4.x

  • Oracle Directory Server Enterprise Edition 11.1.1.7.0

Additional requirements:

  • If your organization started with standard OpsCenter authentication and subsequently switched to implementing LDAP, delete the old passwd.db file.

  • Roles: If using LDAP groups, create and mirror in OpsCenter the user role names and permissions that are in LDAP. Role permissions are stored in OpsCenter, not LDAP. Users must have at least one role to be able to log in to OpsCenter when LDAP is enabled.

Procedure

  1. Locate the opscenterd.conf file. The location of this file depends on the type of installation:

    • Package installations: /etc/opscenter/opscenterd.conf

    • Tarball installations: install_location/conf/opscenterd.conf

  2. Open the opscenterd.conf file for editing.

  3. Add an [authentication] section with the following options:

    Option

    Description

    passwd_db

    Contains the required OpsCenter user role information.

    enabled

    Set to True to enable LDAP authentication.

    authentication_method

    Set to LDAP, regardless if configuring Active Directory.

    [authentication]
    passwd_db = ./passwd.db
    enabled = True
    authentication_method = LDAP

  4. Set the configuration for your LDAP server. Add an [ldap] section to opscenterd.conf with the following LDAP server options as appropriate for your LDAP implementation. Additionally, see the Example to understand an SSL LDAP configuration versus an Active Directory configuration.

    Table 1. LDAP server options
    Option Description

    server_host

    The host name of the LDAP server.

    server_port

    The port on which the LDAP server listens. For example, 389 or 636. * 389 is the default port for non-SSL LDAP and AD. * 636 is the default port for SSL LDAP and AD. For more information about ports, see OpsCenter ports.

    hostname_verification

    Sets whether hostname verification should happen for SSL/TLS connections.

    hostname_verficiation = True

    uri_scheme

    In LDAPv2 environments, TLS is normally started using the LDAP Secure URI scheme instead of the normal LDAP URI scheme. OpenLDAP command line tools allow either scheme to be used with the -H flag and with the URI ldap.conf(5) option. Defaults to ldaps for ldap_security = None; defaults to ldaps for ldap_security = SSL or TLS.

    search_dn

    The username of the user that is used to search for other users on the LDAP server. When a user attempts to authenticate with LDAP, OpsCenter searches for the user in LDAP to discover whether the user exists and which roles the user is associated with. The only permission that the search user needs to have in the LDAP system is the ability to perform LDAP searches.

    If the search_dn and search_password (that constitute the search user entry point for locating users in LDAP) are omitted from the configuration, LDAP attempts to make an anonymous bind to perform the user search.

    search_password

    The password of the search_dn user.

    user_search_base

    The search base for your domain, used to look up users. Set the ou and dc elements for your LDAP domain. For example, this can be set to ou=users,dc=domain,dc=top level domain. More specifically: ou=users,dc=example,dc=com. Active Directory uses a different user search base. For example: CN=search,CN=Users,DC=Active Directory domain name,DC=internal. More specifically: CN=search,CN=Users,DC=example-sales,DC=internal.

    user_search_filter

    The LDAP search filter used to uniquely identify a user. The default setting is (uid={0}), which looks for a user by unique user identifier. The value of the {0} variable is the username provided when logging in to OpsCenter. When using Active Directory, set the filter to (sAMAccountName={0}).

    There is a known limitation in OpsCenter when using search filters for Active Directory. See troubleshooting LDAP.

    group_search_base

    The LDAP search base used to find a group. Example: ou=groups,dc=qaldap,dc=datastax,dc=lan

    group_search_filter

    Deprecated. The LDAP search filter used to find a user’s group. Example: (member=cn={0},ou=users,dc=nodomain). Within the group_search_base, filter for members based on cn. For existing Active Directory implementations that have this configuration option already set, the group_search_filter_with_dn overwrites the returned value with the user’s DN.

    group_search_filter_with_dn

    The LDAP search filter that is used to find a user’s group. Uses the full user’s 'DN' from a user search. Overrides the deprecated group_search_filter. Example: (member={0}).

    group_name_attribute

    The LDAP field name used to identify a group’s name. For example: cn.

    admin_group_name

    The name of the admin group or a comma-separated list of admin group names; for example: admin, superusers. OpsCenter automatically creates the roles with admin permissions for the roles provided in the admin_group_name list. Escape any restricted LDAP characters. If your group name contains restricted LDAP characters such as "," a comma, you must escape them. For example, two admin groups "foo , bar" and "baz" should be entered as: foo \, bar, baz

    user_memberof_attribute

    Set to the attribute on the user entry containing group membership information. Set this option when using a memberof_search for the group_search_type.

    OpsCenter allows for an alternate method of determining a user’s role. When using memberof_search, rather than doing a directory search in LDAP for any roles that match the user, only the user is inspected. You can specify which attribute for a user is inspected. For example, you can define a user with a new attribute such as opscenter_role and populate it with the user’s role in OpsCenter. Specify the value of the new attribute so that OpsCenter can inspect the user attribute.

    group_search_type

    Defines how group membership is determined for a user.

    Available options:

    *directory_search: (Default) Performs a subtree search of group_search_base using group_search_filter to filter the results. *memberof_search: gets groups from the user_memberof_attribute of a user. Using this option requires the directory server to have memberof support. When using the memberof_search rather than directory_search for group searches, you do not need to specify the group_search_base or group_search_filter options.

    user_memberof_stores_dn

    Set to True if the memberof attribute’s value is distinguished names of groups. This option must be set to True when configuring Active Directory, OpenLDAP, or when any other LDAP implementation returns a DN for the memberOf attribute value.

    Default: False.

    Set user_memberof_stores_dn to False if the attribute specified by user_memberof_attribute denotes 0 or more group names that correspond to the roles in OpsCenter. For example, if the user_memberof_attribute is set to employeeType, set the user_memberof_stores_dn option to False because the employeeType attribute value is not a distinguished name.

    If the user_memberof_attribute_stores_dn is False and log in fails, and OpsCenter suspects the group name might be a DN, a warning is logged: [opscenterd] WARN: It looks like you might be using Active Directory for authentication. You may need to set the 'user_memberof_attribute_stores_dn' config value to True and set the group_name_attribute config value appropriately in opscenterd.conf.

    ldap_security

    The type of security to use with LDAP: None, TLS, or SSL. When set to TLS, uses TLS start. Setting this option to TLS or SSL sets the uri_scheme to LDAPS. Setting this option to None sets the uri_scheme to LDAP.

    truststore

    Path to the truststore for SSL certificates.

    truststore_type

    Type of the truststore. Default: JKS (Java Keystore).

    truststore_pass

    The password to access the truststore.

    enforce_single_user_search_result

    Returns an error when multiple entries are returned from a user search after all applicable referrals are followed. Set to False if the user_search_base is not confined to one Organizational Unit (OU). Default: True.

    connection_timeout

    The number of seconds to wait before concluding that the LDAP server is down. Default: 20 seconds.

  5. Restart OpsCenter for the changes to take effect.

Example

SSL LDAP (OpenLDAP or Oracle) implementation

The following example configuration reflects a typical SSL LDAP (OpenLDAP or Oracle) implementation. The server_port value of 636 is for an SSL configuration.
If the search_dn and search_password options shown in lines 11 and 12 are omitted, LDAP attempts to make an anonymous bind to perform the user search.

This configuration example searches for a user in both user (user_search_base and user_search_filter) and group (group_search_base and group_search_filter) categories to authenticate a user. The group_search_type (line 19) is directory_search.

The #user_search_base and #user_search_filter options are commented out in lines 15 and 16 because they are only applicable to an Active Directory (AD) configuration.

01 [authentication]
02 passwd_db = ./passwd.db
03 enabled = True
04 authentication_method = LDAP
05
06 [ldap]
07 server_host = ldap.myCompany.lan
08 server_port = 636
09 hostname_verification = true
10 uri_scheme = ldaps
11 search_dn = cn=admin,dc=devldap,dc=datastax,dc=lan
12 search_password = **
13 user_search_base = ou=users,dc=devldap,dc=datastax,dc=lan
14 user_search_filter = (uid={0})
15 #user_search_base = CN=search,CN=Users,DC=datastax,DC=internal # AD base
16 #user_search_filter = (sAMAccountName={0}) # AD filter
17 group_search_base = ou=users,dc=devldap,dc=datastax,dc=lan
18 group_search_filter_with_dn = (member={0})
19 group_name_attribute = cn
20 group_search_type = directory_search
21 admin_group_name = superusers,superusers2
22 ldap_security = SSL_TLS
23 truststore_type = JKS
24 truststore = ./truststore.jks
25 truststore_pass = secret

Active Directory (AD) for Windows 2008 implementation
The following example reflects an Active Directory (AD) for Windows 2008 configuration. Unlike the previous LDAP example for OpenLDAP or Oracle, this AD configuration makes use of user_search_base (line 13) and user_search_filter (line 14) for Active Directory configuration options. Also, the user search base for AD shown in line 13 differs in format from the LDAP example.

The user_memberof_stores_dn option in line 19 is explicitly set to True so that OpsCenter correctly handles the value of the memberof_attribute shown in line 18 as a distinguished name (DN). The user_memberof_stores_dn option is also applicable to an OpenLDAP configuration.

01 [authentication]
02 passwd_db = ./passwd.db
03 enabled = True
04 authentication_method = LDAP
05
06 [ldap]
07 server_host = mywin2008.myCompany.lan
08 server_port = 636
09 hostname_verification = true
10 uri_scheme = ldap
11 search_dn = CN=Administrator,CN=Users,DC=prodwin2008,DC=datastax,DC=lan
12 search_password = **
13 user_search_base = CN=Users,DC=prodwin2008,DC=datastax,DC=lan # AD base
14 user_search_filter = (sAMAccountName={0}) # AD filter
15 admin_group_name = superusers
16 group_search_type = memberof_search
17 group_name_attribute = cn
18 user_memberof_attribute = memberof
19 user_memberof_stores_dn = True
20 ldap_security = SSL_TLS
21 truststore_type = JKS

Authenticating with LDAP Adding a role for an LDAP user

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage