LDAP system properties for DataStax Enterprise Authentication
Change LDAP system properties.
dse.yaml
The location of the dse.yaml file depends on the type of installation:Package installations | /etc/dse/dse.yaml |
Tarball installations | installation_location/resources/dse/conf/dse.yaml |
- -Ddse.ldap.connection.timeout.ms
- The number of milliseconds before the connection
timesout.
Default:
- -Ddse.ldap.retry_interval.ms
- Allows you to set the time in milliseconds between subsequent retries when
authenticating via an LDAP server.
Default:
10
- -Ddse.ldap.pool.min.idle
- Finer control over the connection pool for DataStax Enterprise LDAP authentication
connector. The min idle settings determines the minimum number of connections allowed
in the pool before the evictor thread will create new connections. This setting has no
effect if the evictor thread isn't configured to run.
Default:
- -Ddse.ldap.pool.exhausted.action
- Determines what the pool does when it is full. It can be one of:
fail
- the pool with throw an exceptionblock
- the pool will block for max wait ms (default)grow
- the pool will just keep growing (not recommended)
Default:
block
- -Ddse.ldap.pool.max.wait
- When the
dse.ldap.pool.exhausted.action
isblock
, sets the number of milliseconds to block the pool before throwing an exception.Default:
- -Ddse.ldap.pool.test.borrow
- Tests a connection when it is borrowed from the pool.
Default:
- -Ddse.ldap.pool.test.return
- Tests a connection returned to the pool.
Default:
- -Ddse.ldap.pool.test.idle
- Tests any connections in the eviction loop that are not being evicted. Only works if
the time between eviction runs is greater than 0ms.
Default:
- -Ddse.ldap.pool.time.between.evictions
- Determines the time in ms (milliseconds) between eviction runs. When run with the
dse.ldap.pool.test.idle
this becomes a basic keep alive for connections.Default:
- -Ddse.ldap.pool.num.tests.per.eviction
- Number of connections in the pool that are tested each connection run. If this is
set the same as max active (the pool size) then all connections will be tested each
eviction run.
Default:
- -Ddse.ldap.pool.min.evictable.idle.time.ms
- Determines the minimum time in ms (milliseconds) that a connection can sit in the
pool before it becomes available for eviction.
Default:
- -Ddse.ldap.pool.soft.min.evictable.idle.time.ms
- Determines the minimum time in ms (milliseconds) that a connection can sit the pool
before it becomes available for eviction with the proviso that the number of
connections doesn't fall below
dse.ldap.pool.min.evictable.idle.time.ms
.Default:
Tune LDAP failover
Use the following properties to tune the failover behavior when multiple LDAP servers are
specified in dse.yaml.
- -Ddse.ldap.failover.retry_count
- Number of failover retries.
- -Ddse.ldap.failover.quarantine.opening.threshold
- Number of failovers allowed during the opening interval before the LDAP server is added to the quarantine list.
- -Ddse.ldap.failover.quarantine.opening.threshold
- Opening threshold time in milliseconds.
- -Ddse.ldap.failover.quarantine.close.threshold
- Threshold for the number of failures at which an LDAP server will be unquarantined.
Note: When an LDAP server is quarantined, there are still circumstances when it can be used. A server is chosen as follows:
- A server is selected which is unquarantined and whose connection pool has idle connections.
- If a server is not available, a server is selected which has just been unquarantined.
- If no servers meet those criteria, all servers are cycled through in round robin fashion.
1
, otherwise once a server is quarantined, it will remain quarantined until the LDAP subsystem is reset or the node is restarted.
- -Ddse.ldap.failover.quarantine.close.interval.ms
- Closing threshold time in milliseconds.
Tip: Lower
-Ddse.ldap.connection.timeout.ms
to improve LDAP
performance by quarantining servers more quickly.