Configuring GemFire XD for LDAP

When you configure GemFire XD to use LDAP as your authentication service, you must specify which LDAP server to use.

Restrictions and Performance Guidelines
Procedure

Restrictions and Performance Guidelines

GemFire XD does not support LDAP groups.
For performance reasons, the LDAP directory server should be in the same LAN as GemFire XD. GemFire XD does not cache the user's credential information locally and thus must connect to the directory server every time a user connects.
Connection requests that provide the full DN are faster than those that must search for the full DN.

Procedure

Set the auth-provider property to "LDAP" when you start each locator and server in the GemFire XD distributed system.
When you set the auth-provider property to "LDAP," GemFire XD uses LDAP for authenticating all distributed system members as well as clients to the distributed system. For this reason, GemFire XD members must supply the user and password properties at startup. If you omit a value for the password property when starting a GemFire XD member, then the member prompts you for a password at the command line.
Set the gemfirexd.auth-ldap-server property to the URL to the LDAP server. For example:
```
gemfirexd.auth-ldap-server=ldap://server:port/
```
You can specify the LDAP server with only the server name, and its port number separated by a colon, or as an "ldap" URL. If a full URL is not provided, GemFire XD uses unencrypted LDAP by default. To use SSL-encrypted LDAP you must provide a URL that starts with "ldaps://".

Note: You must specify this property as a Java system property. For example, when you start a new GemFire XD server with gfxd, use the command-line option -J-Dgemfirexd.auth-ldap-server=ldaps://server:port/ to specify the property.
If you use SSL-encrypted LDAP and your LDAP server certificate is not recognized by a valid Certificate Authority (CA), create a local trust store for each GemFire XD member and import the LDAP server certificate to the trust store. See http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore for more information.

If you performed step 3, specify the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties when you start individual GemFire XD members. For example:

gfxd server start -dir=./server -locators=localhost[10101] -client-port=1528 -auth-provider=LDAP \
                   -J-Dgemfirexd.auth-ldap-server=ldaps://ldapserver:636/ -user=user_name -password=user_pwd \
                   -J-Dgemfirexd.auth-ldap-search-dn=uid=gemfirexd1,ou=ldapExample,dc=gemstone,dc=com  \
                   -J-Dgemfirexd.auth-ldap-search-pw=gemfirexd1 \
                   -J-Dgemfirexd.auth-ldap-search-base=ou=ldapTesting,dc=gemstone,dc=com \
                   -J-Djavax.net.ssl.trustStore=/Users/yozie/gfxd/keystore_name \
                   -J-Djavax.net.ssl.trustStorePassword=keystore_password

Note: javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword must be specified as Java system properties (using the -J option on the gfxd command line).

Note: LDAP server and search properties must be set to the same value for each member of the GemFire XD distributed system. However, individual GemFire XD members can be started using different authenticated user credentials, trust stores, and so forth.