Guest Access to Search for DNs

In an LDAP system, users are hierarchically organized in the directory as a set of entries. An entry is a set of name-attribute pairs identified by a unique name, called a DN (distinguished name).

An entry is unambiguously identified by a DN, which is the concatenation of selected attributes from each entry in the tree along a path leading from the root down to the named entry, ordered from right to left. For example, a DN for a user might look like this:

cn=mary,ou=People,dc=example,dc=com

uid=mary,ou=People,dc=example,dc=com

The allowable entries for the name are defined by the entry's objectClass.

An LDAP client can bind to the directory (successfully log in) if it provides a user ID and password. The user ID must be a DN, the fully qualified list of names and attributes. This means that the user must provide a very long name.

Typically, the user knows only a simple user name (for example, the first part of the DN above, mary). With GemFire XD, you do not need the full DN, because an LDAP client (GemFire XD) can go to the directory first as a guest or even an anonymous user, search for the full DN, then rebind to the directory using the full DN (and thus authenticate the user).

GemFire XD typically initiates a search for a full DN before binding to the directory using the full DN for user authentication. GemFire XD does not initiate a search in the following cases:

For more information, see gemfirexd.auth-ldap-search-filter.

Some systems permit anonymous searches; other require a user DN and password. You can specify a user's DN and password for the search with the properties listed below. In addition, you can limit the scope of the search by specifying a filter (definition of the object class for the user) and a base (directory from which to begin the search) with the properties listed below.

Note: Each of the following properties must be specified as a system property when you boot a GemFire XD peer. For example, when booting a new GemFire XD server with gfxd, use the command-line option -J-Dgemfirexd.auth-ldap-search-base=searchbase.

To narrow the search, you can specify a user's objectClass.

Example LDAP Search Configuration

For example, consider the following LDAP search invoked using the OpenLDAP ldapsearch tool:
ldapsearch -b ou=users,dc=domain,dc=com /* base DN */ 
     -x /* non-SASL plain-text authentication */ 
     -D uid=test,ou=ldapTesting,dc=domain,dc=com /* bind DN */ 
     -w test /* bind password */ 
     "(&(objectClass=user)(uid=user1))" /* filter */
To configure this search with GemFire XD you would use the properties:
gemfirexd.auth-ldap-search-base=ou=users,dc=domain,dc=com
gemfirexd.auth-ldap-search-filter=(&(objectClass=user)(uid=%USERNAME%))
gemfirexd.auth-ldap-search-dn=uid=test,ou=ldapTesting,dc=domain,dc=com
gemfirexd.auth-ldap-search-pw=test