Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra data centers. This article discusses how to enable LDAP authentication to your clusters and data centers.
Important
LDAP authentication is in public preview.
This feature is provided without a service level agreement. We don't recommend it for production workloads. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Prerequisites
- If you don't have an Azure subscription, create a free account before you begin.
- An Azure Managed Instance for Apache Cassandra cluster. For more information, see Create an Azure Managed Instance for Apache Cassandra cluster from the Azure portal.
Deploy an LDAP Server in Azure
In this section, you create a simple LDAP server on a Virtual Machine in Azure. If you already have an LDAP server running, you can skip ahead to Enable LDAP authentication.
Deploy a virtual machine in Azure using Ubuntu Server 18.04 LTS. For detailed instructions, see Deploy an Ubuntu server.
Give your server a DNS name:
Install Docker on the virtual machine. For a tutorial, see How To Install and Use Docker on Ubuntu 18.04.
In the home directory, copy and paste the following text and select Enter. This command creates a file containing a test LDAP user account.
mkdir ldap-user && cd ldap-user && cat >> user.ldif <<EOL dn: uid=admin,dc=example,dc=org uid: admin cn: admin sn: 3 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/admin uidNumber: 14583102 gidNumber: 14564100 userPassword: admin mail: admin@example.com gecos: admin EOLNavigate back to the home directory
cd ..Run the following command. Replace
<dnsname>with the dns name you created for your LDAP server earlier. This command deploys an LDAP server with TLS enabled to a Docker container and copies the user file you created earlier to the container.sudo docker run --hostname <dnsname>.uksouth.cloudapp.azure.com --name <dnsname> -v $(pwd)/ldap-user:/container/service/slapd/assets/test --detach osixia/openldap:1.5.0Copy out the certificates folder from the container. Replace
<dnsname>with the DNS name you created for your LDAP server:sudo docker cp <dnsname>:/container/service/slapd/assets/certs certsVerify that DNS name is correct:
openssl x509 -in certs/ldap.crt -text
Copy the
ldap.crtfile to clouddrive in Azure CLI for use later.Add the user to the LDAP. Replace
<dnsname>with the dns name you created for your LDAP server:sudo docker container exec <dnsname> ldapadd -H ldap://<dnsname>.uksouth.cloudapp.azure.com -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/user.ldif
Enable LDAP authentication
Important
If you skipped the previous section because you already have an LDAP server, be sure that it has server SSL certificates enabled. The subject alternative name (dns name) specified for the certificate must also match the ___domain of the server that LDAP is hosted on, or authentication fails.
Currently, LDAP authentication is a public preview feature. Run the following command to add the required Azure CLI extension:
az extension add --upgrade --name cosmosdb-previewSet authentication method to "Ldap" on the cluster. Replace
<resource group>and<cluster name>with the appropriate values.az managed-cassandra cluster update -g <resource group> -c <cluster name> --authentication-method "Ldap"Now set properties at the data center level. Replace
<resource group>and<cluster name>with the appropriate values, and<dnsname>with the dns name you created for your LDAP server.Note
The following command is based on the LDAP setup in the earlier section. If you skipped that section because you already have an existing LDAP server, provide the corresponding values for that server instead. Ensure that you uploaded a certificate file like
ldap.crtto your clouddrive in Azure CLI.ldap_search_base_distinguished_name='dc=example,dc=org' ldap_server_certificates='/usr/csuser/clouddrive/ldap.crt' ldap_server_hostname='<dnsname>.uksouth.cloudapp.azure.com' ldap_service_user_distinguished_name='cn=admin,dc=example,dc=org' ldap_service_user_password='admin' az managed-cassandra datacenter update -g `<resource group>` -c `<cluster name>` -d datacenter-1 \ --ldap-search-base-dn $ldap_search_base_distinguished_name \ --ldap-server-certs $ldap_server_certificates \ --ldap-server-hostname $ldap_server_hostname \ --ldap-service-user-dn $ldap_service_user_distinguished_name \ --ldap-svc-user-pwd $ldap_service_user_passwordAfter this command finishes, you should be able to use CQLSH or any Apache Cassandra open-source client driver to connect to your managed instance data center with the user added in the previous step:
export SSL_VALIDATE=false cqlsh --debug --ssl <data-node-ip> -u <user> -p <password>