Enabling LDAP Authentication for Search

Before continuing, make sure that you have completed the steps in Enabling Kerberos Authentication for Search. Solr supports LDAP authentication for external Solr client including:

  • Command-line tools
  • curl
  • Web browsers
  • Solr Java clients

In some cases, Solr does not support LDAP authentication. Use Kerberos authentication instead in these cases. Solr does not support LDAP authentication with:

  • Search indexing components including the MapReduce indexer, Lily HBase indexer, or Flume.
  • Solr internal requests such as those for replication or querying.
  • Hadoop delegation token management requests such as GETDELEGATIONTOKEN or RENEWDELEGATIONTOKEN.

Configuring LDAP Authentication for Solr using Cloudera Manager

You can configure LDAP-based authentication using Cloudera Manager at the Solr service level.

  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr
  4. Select Category > Security
  5. Select Enable LDAP.
  6. Enter the LDAP URI in the LDAP URI property.
  7. Configure only one of following mutually exclusive parameters:
    • LDAP BaseDN: Replaces the username with a "distinguished name" (DN) of the form: uid=userid,ldap_baseDN. Typically used for OpenLDAP server installation.

    -OR-

    • LDAP Domain: Replaces the username with a string username@ldap_domain. Typically used for Active Directory server installation.

Configuring LDAP Authentication for Solr Using the Command Line

To enable LDAP authentication using the command line, configure the following environment variables in /etc/default/solr:

SOLR_AUTHENTICATION_HTTP_SCHEMES=Negotiate,Basic
SOLR_AUTHENTICATION_HTTP_DELEGATION_MGMT_SCHEMES=Negotiate
SOLR_AUTHENTICATION_HTTP_BASIC_HANDLER=ldap
SOLR_AUTHENTICATION_HTTP_NEGOTIATE_HANDLER=kerberos
SOLR_AUTHENTICATION_LDAP_PROVIDER_URL=ldap://www.example.com

# Specify value for only one of SOLR_AUTHENTICATION_LDAP_BASE_DN or SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN property.
SOLR_AUTHENTICATION_LDAP_BASE_DN=ou=Users,dc=example,dc=com
# SOLR_AUTHENTICATION_LDAP_BIND_DOMAIN=
# Required when using ‘Start TLS’ extension
# SOLR_AUTHENTICATION_LDAP_ENABLE_START_TLS=false

Securing LDAP Connections

You can secure communications using LDAP-based encryption.

To avoid sending credentials over the wire in clear-text, you must configure a secure connection between both the client and Solr, and between Solr and the LDAP server. The secure connection could use SSL or TLS.

Secure LDAP connections through SSL:

For SSL-enabled LDAP connections, specify a prefix of ldaps:// instead of ldap://. Also, the default port for SSL-enabled LDAP connections is 636 instead of 389.

Secure LDAP connections through TLS:

TLS, the successor to the SSL protocol, is supported by most modern LDAP servers. Unlike SSL connections, TLS connections can be made on the same server port as non-TLS connections. You can enable xxx using Cloudera Manager.

  1. Go to the Solr service.
  2. Click the Configuration tab.
  3. Select Scope > Solr
  4. Select Category > Security
  5. Select Enable LDAP TLS.
  6. Import the LDAP server security certificate in the Solr Trust Store file:
    1. Enter the location for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store File.
    2. Enter the password for the Solr Trust Store File in Solr TLS/SSL Certificate Trust Store Password.

LDAP Client Configuration

Some HTTP clients such as curl or the Apache Http Java client must be configured to use a particular scheme. For example:

  • curl tool supports using Kerberos or username/password authentication. Kerberos is activated using the --negotiate flag and username/password based authentication is activated using the --basic and -u flags.
  • Apache HttpClient library can be configured to use specific authentication scheme. For more information, see the HTTP authentication chapter of Apache's HttpClient Tutorial.

Typically, web browsers automatically choose a preferred authentication scheme. For more information, see the HTTP authentication topic in The Chromium Projects.

To use LDAP authentication with Solr Java clients, HttpClientConfigurer needs to configured for Solr. This can either be done programmatically or using Java system properties.

For example, programmatic initialization might appear as:

SampleSolrClient.java

import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer;
import org.apache.solr.common.params.ModifiableSolrParams;

/**
 * This method initializes the Solr client to use LDAP authentication
 * This configuration is applicable to all Solr clients.
 * @param ldapUserName LDAP user name
 * @param ldapPassword  LDAP user password
 */
public static void initialize(String ldapUserName, String ldapPassword) {
  HttpClientUtil.setConfigurer(new PreemptiveBasicAuthConfigurer());
  ModifiableSolrParams params = new ModifiableSolrParams();
  params.set(HttpClientUtil.PROP_BASIC_AUTH_USER, ldapUserName);
  params.set(HttpClientUtil.PROP_BASIC_AUTH_PASS, ldapPassword);
  // Configure the JVM default parameters.
  PreemptiveBasicAuthConfigurer.setDefaultSolrParams(params);
}

For configuration using system properties, configure the following system properties:

System properties configuration for LDAP authentication
System property Description
solr.httpclient.configurer Fully qualified classname of HttpClientConfigurer implementation. For example, org.apache.solr.client.solrj.impl.PreemptiveBasicAuthConfigurer.
solr.httpclient.config Http client configuration properties file path. For example, ldap-credentials.properties.

For example, the entry in ldap-credentials.properties might appear as:

ldap-credentials.properties

httpBasicAuthUser=user1
httpBasicAuthPassword=passwd