Edit

Share via

Enable LDAP authentication in Azure Managed Instance for Apache Cassandra

Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. This article discusses how to enable Lightweight Directory Access Protocol (LDAP) authentication to your clusters and datacenters.

Important

LDAP authentication is in public preview.

This feature is provided without a service-level agreement. We don't recommend it for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Prerequisites

Deploy an LDAP server in Azure

In this section, you create a simple LDAP server on a virtual machine in Azure. If you already have an LDAP server running, you can skip ahead to Enable LDAP authentication.

  1. Deploy a virtual machine in Azure by using Ubuntu Server 18.04 Long-Term Support (LTS). For detailed instructions, see Deploy an Ubuntu server.

  2. Give your server a Domain Name System (DNS) name.

    Screenshot that shows the virtual machine DNS name in the Azure portal.

  3. Install Docker on the virtual machine. For a tutorial, see Install and use Docker on Ubuntu 18.04.

  4. In the home directory, copy and paste the following text and select Enter. This command creates a file that contains a test LDAP user account.

    mkdir ldap-user && cd ldap-user && cat >> user.ldif <<EOL
dn: uid=admin,dc=example,dc=org
uid: admin
cn: admin
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/admin
uidNumber: 14583102
gidNumber: 14564100
userPassword: admin
mail: admin@example.com
gecos: admin
EOL

  5. Go back to the home directory.

    cd ..

  6. Run the following command. Replace <dnsname> with the DNS name that you created for your LDAP server earlier. This command deploys an LDAP server with Transport Layer Security (TLS) enabled to a Docker container and copies the user file that you created earlier to the container.

    sudo docker run --hostname <dnsname>.uksouth.cloudapp.azure.com --name <dnsname> -v $(pwd)/ldap-user:/container/service/slapd/assets/test --detach osixia/openldap:1.5.0

  7. Copy out the certificates folder from the container. Replace <dnsname> with the DNS name that you created for your LDAP server.

    sudo docker cp <dnsname>:/container/service/slapd/assets/certs certs

  8. Verify that the DNS name is correct.

    openssl x509 -in certs/ldap.crt -text

    Screenshot that shows output from the command to verify the certificate.

  9. Copy the ldap.crt file to clouddrive in the Azure CLI for use later.

  10. Add the user to the LDAP. Replace <dnsname> with the DNS name that you created for your LDAP server.

    sudo docker container exec <dnsname> ldapadd -H ldap://<dnsname>.uksouth.cloudapp.azure.com -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/user.ldif

Enable LDAP authentication

Important

If you skipped the previous section because you already have an LDAP server, be sure that it has server Secure Sockets Layer certificates enabled. The subject alternative name (dns name) specified for the certificate must also match the domain of the server that LDAP is hosted on, or authentication fails.

  1. Currently, LDAP authentication is a public preview feature. Run the following command to add the required Azure CLI extension:

    az extension add --upgrade --name cosmosdb-preview

  2. Set the authentication method to Ldap on the cluster. Replace <resource group> and <cluster name> with the appropriate values.

    az managed-cassandra cluster update -g <resource group> -c <cluster name> --authentication-method "Ldap"

  3. Now set properties at the datacenter level. Replace <resource group> and <cluster name> with the appropriate values. Replace <dnsname> with the DNS name that you created for your LDAP server.

    The following command is based on the LDAP setup in the earlier section. If you skipped that section because you already have an existing LDAP server, provide the corresponding values for that server instead. Ensure that you uploaded a certificate file like ldap.crt to your cloud drive in the Azure CLI.

    ldap_search_base_distinguished_name='dc=example,dc=org'
ldap_server_certificates='/usr/csuser/clouddrive/ldap.crt'
ldap_server_hostname='<dnsname>.uksouth.cloudapp.azure.com'
ldap_service_user_distinguished_name='cn=admin,dc=example,dc=org'
ldap_service_user_password='admin'

az managed-cassandra datacenter update -g `<resource group>` -c `<cluster name>` -d datacenter-1 \
  --ldap-search-base-dn $ldap_search_base_distinguished_name \
  --ldap-server-certs $ldap_server_certificates \
  --ldap-server-hostname $ldap_server_hostname \
  --ldap-service-user-dn $ldap_service_user_distinguished_name \
  --ldap-svc-user-pwd $ldap_service_user_password

  4. After this command finishes, you should be able to use CQLSH or any Apache Cassandra open-source client driver to connect to your managed instance datacenter with the user added in the previous step.

    export SSL_VALIDATE=false
cqlsh --debug --ssl <data-node-ip> -u <user> -p <password>

Related content