Using LDAP Authentication
This topic describes how to use LDAP authentication in Splice Machine, in these subsections:
- About LDAP Authentication in Splice Machine
- LDAP Property Settings
- Authenticating With an LDAP Group
- Troubleshooting LDAP
About LDAP Authentication in Splice Machine
LDAP authentication in Splice Machine uses an external LDAP server.
LDAP authentication is available only with a Splice Machine Enterprise license; you cannot use LDAP authentication with the Community version of Splice Machine.
To obtain a license for the Splice Machine Enterprise Edition, please Contact Splice Machine Sales today.
To use LDAP with Splice Machine, you must:
Contact us to obtain a license key from Splice Machine.
Enable Enterprise features by adding your Splice Machine license key to your HBase configuration file as the value of the
splicemachine.enterprise.keyproperty, as shown below.
Make sure that a user with name
splicehas been created in the LDAP server.
Add the Splice Machine LDAP properties in your HBase configuration file, along with the license key property. Note that you may need to set
splice.authenticationproperties in both service and client HBase configuration files:
LDAP Property Settings
These are the property settings you need to configure:
<property> <name>splicemachine.enterprise.key</name> <value>your-Splice-Machine-license-key</value> </property> <property> <name>splice.authentication</name> <value>LDAP</value> </property> <property> <name>splice.authentication.ldap.server</name> <value>ldap://servername-ldap.yourcompany.com:port-number</value> </property> <property> <name>splice.authentication.ldap.searchAuthDN</name> <value>cn=commonName,ou=Users,dc=yourcompany,dc=com</value> </property> <property> <name>splice.authentication.ldap.searchAuth.password</name> <value>yourpassword</value> </property> <property> <name>splice.authentication.ldap.searchBase</name> <value>ou=Users,dc=yourcompany,dc=com</value> </property> <property> <name>splice.authentication.ldap.searchFilter</name> <value>search-filter-criteria</value> </property>
Notes about the LDAP property values:
- Specify both the location of your external LDAP server host and the port number in the
splice.authentication.ldap.server property. The default
ldap.searchAuthDNproperty is the security principal:
- This is used to create the initial LDAP context (aka its connection to a specific DN (distinct name)).
- It must have the authority to search the user space for user DNs.
cn=is the common name of the security principal.
ldap.searchAuth.passwordproperty specifies password Splice Machine should use to perform the DN search; this is the password of the
DNspecified in ldap.searchAuthDN property.
ldap.searchBaseproperty specifies the root DN of the point in your hierarchy from which to begin a guest or anonymous search for the user’s DN.
ldap.searchFilterproperty specifies the search filter to use to determine what constitutes a user while searching for a user DN. An example is: (&(objectClass=*)(uid=%USERNAME%))
Authenticating With an LDAP Group
To use a LDAP GROUP, you must create a Splice Machine database user for that group. You can then assign privileges to that user, and everyone belonging to the LDAP GROUP will gain those privileges.
For example, given an LDAP GROUP named
splice> call syscs_util.syscs_create_user('test_devel', 'test_devel'); Statement executed. splice> create schema test_devel_schema; 0 rows inserted/updated/deleted splice> create role test_devel_role; 0 rows inserted/updated/deleted splice> grant all privileges on schema test_devel_schema to test_devel_role; 0 rows inserted/updated/deleted splice> grant cdl_devl_role to test_devel; 0 rows inserted/updated/deleted
You can now connect as user
testuser, who belongs to the
test_devel LDAP Group:
splice> connect 'jdbc:splice://localhost:1527/splicedb;user=testuser;password=testpswd'; splice> create table test_devel_schema.t1(a int); 0 rows inserted/updated/deleted splice> insert into test_devel_schema.t1 values (10), (20), (30); 3 rows inserted/updated/deleted splice> select * from test_devel_schema.t1; A ----------- 10 20 30 3 rows selected
LDAP Groups and Splice Machine
Given an LDAP user and its
DN (Distinct Name), Splice Machine honors the LDAP groups that user belongs to from two sources:
- the first
CN(Common Name) in the
DN, which may or may not be the same as the LDAP user name
- the user’s
Here’s an example for an LDAP user with these
# user3, Users, splicemachine.colo dn: cn=user3,ou=Users,dc=splicemachine,dc=colo memberOf: cn=foo,ou=groups,dc=splicemachine,dc=colo memberOf: cn=mygroup,ou=groups,dc=splicemachine,dc=color
Splice Machine treats user3,
mygroup as the LDAP groups to which
user3 belongs. All privileges granted to those three groups are inherited by the LDAP user
LDAP Group Names and Splice Machine
When using an LDAP Group name in a
REVOKE statement: if the group name contains characters other than alphanumerics or the underscore character (A-Z, a-z, 0-9, _), you must:
- Enclose the group name in double quotes
- Convert all alphabetic characters in the group name to uppercase.
For example, if you are granting rights to an LDAP Group with name This-is-my-LDAP-Group, you would use a statement like this:
GRANT SELECT ON TABLE Salaries TO "THIS-IS-MY-LDAP-GROUP";
Connecting with JDBC and LDAP
You can then use our JDBC driver to connect to your database with LDAP authentication, using a connection string similar to this:
There is a known issue when authenticating with LDAP protocol to an Active Directory instance. If you see “Unprocessed Continuation Reference” error messages in the Splice Machine region server logs, this is typically caused by using a default Active Directory port (
636). To fix:
- Change port
- Change port
Using the alternate port allows for a broader search and lets you follow references.
Secure ldap is always preferred since it is the only way to securely encrypt your users’ passwords.