LDAP system properties for DataStax Enterprise Authentication

Change LDAP system properties.

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml
-Ddse.ldap.connection.timeout.ms
The number of milliseconds before the connection timesout.

Default:

-Ddse.ldap.retry_interval.ms
Allows you to set the time in milliseconds between subsequent retries when authenticating via an LDAP server.

Default: 10

-Ddse.ldap.pool.min.idle
Finer control over the connection pool for DataStax Enterprise LDAP authentication connector. The min idle settings determines the minimum number of connections allowed in the pool before the evictor thread will create new connections. This setting has no effect if the evictor thread isn't configured to run.

Default:

-Ddse.ldap.pool.exhausted.action
Determines what the pool does when it is full. It can be one of:
  • fail - the pool with throw an exception
  • block - the pool will block for max wait ms (default)
  • grow - the pool will just keep growing (not recommended)

Default: block

-Ddse.ldap.pool.max.wait
When the dse.ldap.pool.exhausted.action is block, sets the number of milliseconds to block the pool before throwing an exception.

Default:

-Ddse.ldap.pool.test.borrow
Tests a connection when it is borrowed from the pool.

Default:

-Ddse.ldap.pool.test.return
Tests a connection returned to the pool.

Default:

-Ddse.ldap.pool.test.idle
Tests any connections in the eviction loop that are not being evicted. Only works if the time between eviction runs is greater than 0ms.

Default:

-Ddse.ldap.pool.time.between.evictions
Determines the time in ms (milliseconds) between eviction runs. When run with the dse.ldap.pool.test.idle this becomes a basic keep alive for connections.

Default:

-Ddse.ldap.pool.num.tests.per.eviction
Number of connections in the pool that are tested each connection run. If this is set the same as max active (the pool size) then all connections will be tested each eviction run.

Default:

-Ddse.ldap.pool.min.evictable.idle.time.ms
Determines the minimum time in ms (milliseconds) that a connection can sit in the pool before it becomes available for eviction.

Default:

-Ddse.ldap.pool.soft.min.evictable.idle.time.ms
Determines the minimum time in ms (milliseconds) that a connection can sit the pool before it becomes available for eviction with the proviso that the number of connections doesn't fall below dse.ldap.pool.min.evictable.idle.time.ms.

Default:

Tune LDAP failover

Use the following properties to tune the failover behavior when multiple LDAP servers are specified in dse.yaml.
-Ddse.ldap.failover.retry_count
Number of failover retries.
Default: the number of configured LDAP servers.
-Ddse.ldap.failover.quarantine.opening.threshold
Number of failovers allowed during the opening interval before the LDAP server is added to the quarantine list.
Default: 3
-Ddse.ldap.failover.quarantine.opening.threshold
Opening threshold time in milliseconds.
Default: 10000
-Ddse.ldap.failover.quarantine.close.threshold
Threshold for the number of failures at which an LDAP server will be unquarantined.
Note: When an LDAP server is quarantined, there are still circumstances when it can be used. A server is chosen as follows:
  1. A server is selected which is unquarantined and whose connection pool has idle connections.
  2. If a server is not available, a server is selected which has just been unquarantined.
  3. If no servers meet those criteria, all servers are cycled through in round robin fashion.
The parameter must be at least 1, otherwise once a server is quarantined, it will remain quarantined until the LDAP subsystem is reset or the node is restarted.
Default: 1
-Ddse.ldap.failover.quarantine.close.interval.ms
Closing threshold time in milliseconds.
Default: 10000
Tip: Lower -Ddse.ldap.connection.timeout.ms to improve LDAP performance by quarantining servers more quickly.