Dynamically set LDAP Authenticator Connection Search Password
Dynamically set LDAP Authenticator Connection Search Password.
cassandra.yaml
The location of the cassandra.yaml file depends on the type of installation:
Package installations |
/etc/dse/cassandra/cassandra.yaml |
Tarball installations |
installation_location/resources/cassandra/conf/cassandra.yaml |
dse.yaml
The location of the dse.yaml file depends on the type of installation:
Package installations |
/etc/dse/dse.yaml |
Tarball installations |
installation_location/resources/dse/conf/dse.yaml |
With LDAP enabled on your nodes, you can dynamically set a new value for the DSE
LdapAuthenticator
bean's ConnectionSearchPassword
attribute – without having to change static configuration in
dse.yaml or system properties – by using a JMX console
at runtime.
Prerequisites
If you haven't already, enable LDAP.
- Verify that authenticator is set to
DseAuthenticator
.authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
- Verify that authorizer is set to
DseAuthorizer
.authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
- Verify that role_manager is set to
DseRoleManager
.role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
In dse.yaml, verify that LDAP has been enabled via the definition of an LDAP Scheme.
If you haven't already, after any updates in cassandra.yaml and dse.yaml (to enable LDAP), restart DSE on all nodes. See Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.
Procedure via a JMX console
With LDAP enabled and DSE running, use a JMX console to navigate to the
LdapAuthenticator
bean. This example uses
JConsole.
- In JConsole, connect to the running DSE process,
com.datastax.bdp.DseModule
. Example: - On the Mbeans tab, under
com.datastax.bdp.core
, navigate to theLdapAuthenticator
bean. TheObjectName
iscom.datastax.bdp:type=core,name=LdapAuthenticator
, and theinterfaceClassName
iscom.datastax.bdp.cassandra.auth.LdapUtilsMXBean
. - Open the Attributes pane and enter a new password for
ConnectionSearchPassword
. Click into the Value column for the attribute. Example:Attention: Never use passwords from documentation examples in your environment. - Click
Refresh
. (The entered value is not displayed.) - Result: the new
ConnectionSearchPassword
password is dynamically activated and used by the DSE LDAP Authenticator.