Defining an LDAP scheme
Configure an external LDAP server for authentication and/or role management.
DataStax Enterprise supports LDAP for:
- Authentication: DSE passes through the credentials to the configured LDAP.
- Role management: DSE looks up the authenticated user and retrieves a list of LDAP groups and then matches LDAP group names to DSE role names.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
Prerequisites
Complete Enabling DSE Unified Authentication with the following options:
- For authentication, ensure that
authentication_options.scheme:ldap
orauthentication_options.other_scheme:ldap
is set in the dse.yaml:authentication_options: ... scheme: ldap
- For role management, ensure that
role_management_options.mode: ldap
is set in the dse.yaml:role_management_options: ... mode: ldap
Ensure that a supported LDAP v3 server is available. DataStax Enterprise supports:
- Microsoft Active Directory:
- Windows 2008
- Windows 2012
- OpenLDAP 2.4.x
- Oracle Directory Server Enterprise Edition 11.1.1.7.0
Procedure
On every node configure the in
the dse.yaml.
Note: For multi-datacenter support,
use the nearest available LDAP host.
-
Configure the following options when using an LDAP scheme for authentication or
role management:
Example of AD authentication minimum settings:
ldap_options: server_host: win2012ad_server.mycompany.lan server_port: 389 search_dn: cn=lookup_user,cn=users,dc=win2012domain,dc=mycompany,dc=lan search_password: lookup_user_password use_ssl: false use_tls: false hostname_verification: false truststore_path: path/to/truststore truststore_password: passwordToTruststore truststore_type: jks user_search_base: cn=users,dc=win2012domain,dc=mycompany,dc=lan user_search_filter: (sAMAccountName={0}) credentials_validity_in_ms: 0 search_validity_in_seconds: 0 connection_pool: max_active: 8 max_idle: 8
-
For Role Management mode ldap, choose one of the following:
- Option 1. Configure DSE to get a list of groups from an attribute
of the user
entry:
user_memberof_attribute: memberof group_search_type: memberof_search
Note:memberof
is the name of the attribute that contains a list of groups in the default Microsoft Active Directory LDAP scheme. OpenLDAP does not have a member of attribute by default.Table 1. Options for user attribute Option Setting Description user_memberof_attribute memberof Attribute that contains a list of group names; role manager assigns DSE roles that exactly match any in the list. Note: Unmatched groups are ignored.group_search_type memberof_search Recursively search for user entries using the user_search_base
anduser_search_filter
. - Option 2. Configure DSE to search all group objects from the
search base and return a list of groups that contain the
user:
group_search_type: directory_search group_search_base: DN group_search_filter: (uniquemember={0}) group_name_attribute: CN
Note:uniquemember
is the name of the attribute that contains a list of users in the default Microsoft Active Directory LDAP scheme for group.Table 2. Options for group objects Option Setting Description group_search_type directory_search Recursively search for group objects using the group_search_base
.group_search_base DN Identifies the location that role manager starts the recursive check for groups that contain the user. For example to check all internal groups of example.com:
cn=internal ou=group,dc=example,dc=com
.group_search_filter (uniquemember={0}) Attribute that matches the user name. In most LDAP services the attribute is uniquemember
.group_name_attribute cn Attribute that contains the group name that role manager matches to a configured DSE role. Group name must match the DSE role name exactly including case. Note: Unmatched groups are ignored.
- Option 1. Configure DSE to get a list of groups from an attribute
of the user
entry:
-
Perform a rolling restart to implement the changes.
Tip: When adding LDAP to and authentication enabled DSE environment, DataStax recommends setting up roles for LDAP users and groups before restarting.