Dynamically set LDAP Authenticator Connection Search Password

Dynamically set LDAP Authenticator Connection Search Password.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

 /etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

 installation_location/resources/dse/conf/dse.yaml

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:

Package installations
Installer-Services installations

 /etc/dse/cassandra/cassandra.yaml

Tarball installations
Installer-No Services installations

 installation_location/resources/cassandra/conf/cassandra.yaml

With LDAP enabled on your nodes, you can dynamically set a new value for the DSE LdapAuthenticator bean's ConnectionSearchPassword attribute – without having to change static configuration in dse.yaml or system properties – by using a JMX console at runtime.

Prerequisites

If you haven't already, enable LDAP.

In cassandra.yaml, verify that DSE Unified Authentication and Authorization features are configured. The following settings are defined by default.
  • Verify that authenticator is set to DseAuthenticator. 
    authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
  • Verify that authorizer is set to DseAuthorizer. 
    authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
  • Verify that role_manager is set to DseRoleManager. 
    role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager

In dse.yaml, verify that LDAP has been enabled via the definition of an LDAP Scheme.

If you haven't already, after any updates in cassandra.yaml and dse.yaml (to enable LDAP), restart DSE on all nodes. See Starting DataStax Enterprise as a service or Starting DataStax Enterprise as a stand-alone process.

Procedure via a JMX console

With LDAP enabled and DSE running, use a JMX console to navigate to the LdapAuthenticator bean. This example uses JConsole.

  1. In JConsole, connect to the running DSE process, com.datastax.bdp.DseModule. Example:

    The initial Connection screen in JConsole, as described in surrounding text

  2. On the Mbeans tab, under com.datastax.bdp.core, navigate to the LdapAuthenticator bean. The ObjectName is com.datastax.bdp:type=core,name=LdapAuthenticator, and the interfaceClassName is com.datastax.bdp.cassandra.auth.LdapUtilsMXBean.

    The LdapAuthenticator bean on the MBeans tab of a running JConsole session, as described in surrounding text

  3. Open the Attributes pane and enter a new password for ConnectionSearchPassword. Click into the Value column for the attribute. Example:
    Setting a new ConnectionSearchPassword attribute's value in JConsole, as described in surrounding text
    Attention: Never use passwords from documentation examples in your environment.
  4. Click Refresh. (The entered value is not displayed.)
  5. Result: the new ConnectionSearchPassword password is dynamically activated and used by the DSE LDAP Authenticator.