LDAP Authentication

Scylla supports user authentication via an LDAP server by leveraging the SaslauthdAuthenticator. By configuring saslauthd correctly against your LDAP server, you enable Scylla to check the user’s credentials through it.

Note

LDAP is scheduled for an upcoming release of Scylla Enterprise. To see which release, read the Release Notes.

Configure saslauthd

  1. You must list LDAP as saslauthd’s authentication mechanism:

    Edit /etc/sysconfig/saslauthd and add:

    MECH=ldap
    

    Edit /etc/default/saslauthd and add:

    MECHANISMS=ldap
    
  2. You also have to edit the /etc/saslauthd.conf file to provide adequate parameter values for your LDAP server.

  3. Once your configuration works, proceed to Configure SaslauthdAuthenticator.

Configure SaslauthdAuthenticator

Scylla can outsource authentication to a third-party utility named saslauthd, which, in turn,supports many different authentication mechanisms. Scylla accomplishes this by providing a custom authenticator named SaslauthdAuthenticator. This procedure explains how to install and configure it. Once configured, any login to Scylla is authenticated with the SaslauthdAuthenticator.

Procedure

  1. Install saslauthd. The easiest way is via a Linux package, if your package manager supports it. Choose a package according to your distro.

    Use the cyrus-sasl package

    Use the sasl2-bin package

  2. Enable the saslauthd service. Run:

    systemctl enable saslauthd.service
    
  3. Configure saslauthd: choose the authentication mechanism (e.g., LDAP or PAM) and set the appropriate mechanism-specific parameters by following the saslauthd documentation.

  4. After every configuration change, restart the saslauthd service.

    systemctl restart saslauthd.service
    
  5. Test your configuration using the testsaslauthd command. Verify you see a success message. If not, verify that the user name and password are correct and then look at the saslauthd logs ( run dmesg -H, and look for LOG_AUTH) to diagnose problems.

  6. Find the mux file (saslauthd’s Unix domain socket) and note its full path.

    Usually, it is /run/saslauthd/mux

    Usually, it is /var/run/sasl2/mux

  7. Once saslauthd is correctly configured and running, you modify the scylla.yaml configuration file, so communication can begin. Modify the following entries:

    • authenticator: com.scylladb.auth.SaslauthdAuthenticator

    • saslauthd_socket_path: /path/to/the/mux

  8. Restart the Scylla server. From now on, Scylla will authenticate all login attempts via saslauthd.

    sudo systemctl restart scylla-server
    
    sudo service scylla-server restart
    
    docker exec -it some-scylla supervisorctl restart scylla
    

    (without restarting some-scylla container)

  9. Create Scylla roles which match the same roles in the LDAP server. To create a role, refer to the CQL Reference and the RBAC example.