Configure GemFire XD to Use Your LDAP Directory Service

When configuring GemFire XD to use LDAP as your authentication service, you must specify which LDAP server to use.

Procedure

  1. Set the auth-provider property to "LDAP" when you start each locator and server in the GemFire XD distributed system.
  2. When you set the auth-provider property to "LDAP," GemFire XD uses LDAP for authenticating distributed system members as well as clients to the distributed system. For this reason, GemFire XD members must supply the user option (and optionally, the password option) at startup. If you omit the password option, the GemFire XD member prompts you for a password at the command line.
  3. Set the gemfirexd.auth-ldap-server property to the URL to the LDAP server. For example:
    gemfirexd.auth-ldap-server=ldap://server:port/

    You can specify the LDAP server with only the server name, the server name, and its port number separated by a colon, or an "ldap" URL. If a full URL is not provided, GemFire XD uses unencrypted LDAP by default. To use SSL-encrypted LDAP, provide a URL starting with "ldaps://".

    Note: This property must be specified either as a Java system property or in the gemfirexd.properties file. For example, when booting a new GemFire XD server with gfxd, you could use the command-line option -J-Dgemfirexd.auth-ldap-server=ldaps://server:port/ to specify the Java system property.

  4. If you use SSL-encrypted LDAP and your LDAP server certificate is not recognized by a valid Certificate Authority (CA), create a local trust store for each GemFire XD member and import the LDAP server certificate to the trust store. See http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore for more information.
  5. If you performed step 3, include the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties when you start individual GemFire XD members. For example:
    gfxd server start -dir=./server -locators=localhost[10101] -client-port=1528 -auth-provider=LDAP \
                       -J-Dgemfirexd.auth-ldap-server=ldaps://ldapserver:636/ -user=user_name -password=user_pwd \
                       -J-Dgemfirexd.auth-ldap-search-dn=uid=gemfirexd1,ou=ldapExample,dc=gemstone,dc=com  \
                       -J-Dgemfirexd.auth-ldap-search-pw=gemfirexd1 \
                       -J-Dgemfirexd.auth-ldap-search-base=ou=ldapTesting,dc=gemstone,dc=com \
                       -J-Djavax.net.ssl.trustStore=/Users/yozie/gfxd/keystore_name \
                       -J-Djavax.net.ssl.trustStorePassword=keystore_password
    Note: javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword must be specified as Java system properties (using the -J option on the gfxd command line).
Note: LDAP server and search properties must be set to the same value for each member of the GemFire XD distributed system. However, individual GemFire XD members can be started using different authenticated user credentials, trust stores, and so forth.