Using LDAP with Stargate and DSE

bootstrap.ldif

# Test file that create a single group "sys_admin" and to users "test" and "test2"
# Passwords are always: test

version: 1

# Entry 1: ou=groups,dc=example,dc=org
dn: ou=groups,dc=example,dc=org
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry 2: cn=sys_admin,ou=groups,dc=example,dc=org
dn: cn=sys_admin,ou=groups,dc=example,dc=org
cn: sys_admin
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=test,ou=users,dc=example,dc=org
uniquemember: uid=test2,ou=users,dc=example,dc=org

# Entry 3: ou=users,dc=example,dc=org
dn: ou=users,dc=example,dc=org
objectclass: organizationalUnit
objectclass: top
ou: users

# Entry 4: uid=test,ou=users,dc=example,dc=org
dn: uid=test,ou=users,dc=example,dc=org
objectclass: account
objectclass: simpleSecurityObject
objectclass: top
uid: test
userpassword: {MD5}CY9rzUYh03PK3k6DJie09g==

# Entry 5: uid=test2,ou=users,dc=example,dc=org
dn: uid=test2,ou=users,dc=example,dc=org
objectclass: account
objectclass: simpleSecurityObject
objectclass: top
uid: test2
userpassword: {MD5}CY9rzUYh03PK3k6DJie09g==

cassandra.yaml

# Enable DSE authn/authz mechanisms
authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager

dse.yaml

# Minimal dse.yaml to support LDAP w/ a test server on localhost

authentication_options:
  enabled: true
  default_scheme: internal
  other_schemes:
    - ldap

role_management_options:
  mode: ldap

ldap_options:
  server_host: localhost
  server_port: 389
  search_dn:  cn=admin,dc=example,dc=org
  search_password: admin
  use_ssl: false
  use_tls: false
  user_search_base:  ou=users,dc=example,dc=org
  user_search_filter: (userid={0})
  group_search_type: directory_search
  group_search_base: ou=groups,dc=example,dc=org
  group_search_filter: (uniquemember={0})
  group_name_attribute: cn

  credentials_validity_in_ms: 0
  search_validity_in_seconds: 0
  connection_pool:
    max_active: 8
    max_idle: 8

internode_messaging_options:
  port: 8609

ldap.sh

#!/usr/bin/env bash

docker run -p 389:389 -p 636:636 --name ldap-service --hostname ldap-service \
  --rm --detach \
  --volume "$(pwd)/bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif" \
  osixia/openldap:1.5.0 --copy-service

if [ ! -z $PHPLDAPADMIN ]; then
  docker run --name phpldapadmin-service --hostname phpldapadmin-service --link ldap-service:ldap-host \
    --env PHPLDAPADMIN_LDAP_HOSTS=ldap-host --rm --detach osixia/phpldapadmin:0.9.0
  
  PHPLDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" phpldapadmin-service)
  
  echo "Go to: https://$PHPLDAP_IP"
  echo "Login DN: cn=admin,dc=example,dc=org"
  echo "Password: admin"
fi

stargate_ldap.md

Using LDAP with Stargate and DSE

Steps

• Start an LDAP server
  • Download ldap.sh and bootstrap.ldif to the same directory
  • chmod +x ldpa.sh
  • Run ./ldap.sh
• Create a DSE cluster using LDAP (this uses CCM, but the instruction should apply)
  • Download dse.yaml
  • Create cluster (3 nodes): ccm create -n 3 -b -i 127.0.0.1 -v 6.8.24 --dse cluster
  • Update the dse.yaml configuration: ccm updatedseconf -y "$(cat dse.yaml)"
  • Start the cluster: ccm start
  • Add a new role: echo "CREATE ROLE sys_admin WITH LOGIN = true AND SUPERUSER = true;" | cqlsh -u cassandra -p cassandra 127.0.0.11
  • Test LDAP users: cqlsh -u test -p test 127.0.0.11 and cqlsh -u test2 -p test 127.0.0.11
• Run Stargate:
  • Download both cassandra.yaml and dse.yaml
  • Run stargate:

    JAVA_OPTS="-Dstargate.unsafe.cassandra_config_path=./cassandra.yaml -Dstargate.unsafe.dse_config_path=./dse.yaml" ./starctl \
      --cluster-name cluster --cluster-seed 127.0.0.11 \
      --dc Cassandra --rack rack1 --cluster-version 6.8 --dse \
      --listen 127.0.0.1 --bind-to-listen-address --jmx-port 7001
    

  • Test LDAP user (through Stargate): cqlsh -u test -p test 127.0.0.1 and cqlsh -u test2 -p test 127.0.0.1