When you configure GemFire XD to use LDAP as your authentication service, you must
specify which LDAP server to use.
Restrictions and Performance Guidelines
- GemFire XD does not support LDAP groups.
- For performance reasons, the LDAP directory server should be in the same LAN as
GemFire XD. GemFire XD does not cache the user's credential information locally
and thus must connect to the directory server every time a user connects.
- Connection requests that provide the full DN are faster than those that must
search for the full DN.
Procedure
- Set the auth-provider
property to "LDAP" when you start each locator and server in the GemFire XD
distributed system.
When you set the auth-provider
property to "LDAP," GemFire XD uses LDAP for authenticating all distributed
system members as well as clients to the distributed system. For this
reason, GemFire XD members must supply the user and password
properties at startup. If you omit a value for the password
property when starting a GemFire XD member, then the member prompts you for
a password at the command line.
- Set the gemfirexd.auth-ldap-server property to the URL
to the LDAP server. For example:
gemfirexd.auth-ldap-server=ldap://server:port/
You can specify the LDAP server with only the server name, and its port
number separated by a colon, or as an "ldap" URL. If a full URL is not
provided, GemFire XD uses unencrypted LDAP by default. To use SSL-encrypted
LDAP you must provide a URL that starts with "ldaps://".
Note: You must specify this property as a Java system property. For example,
when you start a new GemFire XD server with gfxd, use the
command-line option
-J-Dgemfirexd.auth-ldap-server=ldaps://server:port/
to specify the property.
- If you use SSL-encrypted LDAP and your
LDAP server certificate is not recognized by a valid Certificate Authority (CA),
create a local trust store for each GemFire XD member and import the LDAP server
certificate to the trust store. See http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
for more information.
- If you performed step 3, specify the
javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword system properties when you
start individual GemFire XD members. For example:
gfxd server start -dir=./server -locators=localhost[10101] -client-port=1528 -auth-provider=LDAP \
-J-Dgemfirexd.auth-ldap-server=ldaps://ldapserver:636/ -user=user_name -password=user_pwd \
-J-Dgemfirexd.auth-ldap-search-dn=uid=gemfirexd1,ou=ldapExample,dc=gemstone,dc=com \
-J-Dgemfirexd.auth-ldap-search-pw=gemfirexd1 \
-J-Dgemfirexd.auth-ldap-search-base=ou=ldapTesting,dc=gemstone,dc=com \
-J-Djavax.net.ssl.trustStore=/Users/yozie/gfxd/keystore_name \
-J-Djavax.net.ssl.trustStorePassword=keystore_password
Note: javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword must be specified
as Java system properties (using the -J option on the
gfxd command line).
Note: LDAP server and search properties must be set to the same value for each member of
the GemFire XD distributed system. However, individual GemFire XD members can be
started using different authenticated user credentials, trust stores, and so forth.