Active Directory
You can use your existing Active Directory server for authentication and authorization in Management Center.
Setting Up the Active Directory Security Provider
To set up Active Directory, you need to configure settings either in the UI or the mc-conf
tool.
To set up the local security provider in the UI, go to Settings > Security Providers > Active Directory.
Before saving your configuration, you can test it by clicking the Test button. The user you test with needs to be a member of one of the groups you have configured for the Management Center.
Use the active-directory configure
task. For help, use the -h
flag or see Management Center Configuration Tool.
mc-conf.sh active-directory configure
mc-conf.bat active-directory configure
-
URL: URL of your Active Directory server, including the schema (
ldap://
orldaps://
) and port. -
Domain: Domain of your organization on Active Directory.
-
User Search Filter: LDAP search filter expression to search for the users.
{0}
will be replaced withusername@domain
and{1}
will be replaced with only theusername
. You can use both placeholders, only one of them or none in your search filter. For example,(&(objectClass=user)(userPrincipalName={0}))
searches for a username that matches with theuserPrincipalName
attribute and member of the object classuser
.You can use the hazelcast.mc.ldap.timeout
property to specify both connect and read timeout values for Active Directory search queries. It is in milliseconds and its default value is3000
milliseconds. -
Admin Groups: Members of this group and its nested groups have admin privileges on the Management Center. To use more than one group, separate them with a semicolon (;).
-
User Groups: Members of this group and its nested groups have read and write privileges on the Management Center. To use more than one group, separate them with a semicolon (;).
-
Read-only User Groups: Members of this group and its nested groups have only read privilege on the Management Center. To use more than one group, separate them with a semicolon (;).
-
Metrics-only Groups: Members of this group and its nested groups have the privilege to see only the metrics on Management Center. To use more than one group, separate them with a semicolon (;).
-
Nested Group Search: Disable if you have a large LDAP group structure and it takes a long time to query all nested groups during login.
Creating and Managing Users
To create and manage additional users, you must configure them in Active Directory.
When creating users, be sure to give them a valid role. See User Management.
Updating Active Directory Settings
Once configured, Active Directory settings are saved in a local database managed by Management Center.
If you need to update your settings afterwards, you need to provide the import properties file under <hazelcast-mc>/import/securityHotReload.properties
, and then click on the Reload Security Config button on the login page.
The securityHotReload.properties
should contain the following properties:
url=<active directory instance url>
domain=<domain>
adminGroup=<Admin group(s). Use ';' to separate multiple groups>
userGroup=<Read-write group(s). Use ';' to separate multiple groups>
readonlyUserGroup<Read-only group(s). Use ';' to separate multiple groups>
metricsOnlyGroup<Metrics-only group(s). Use ';' to separate multiple groups>
The Reload Security Config button will only appear
when the <hazelcast-mc>/import/securityHotReload.properties file is present.
After a successful import, the file will be renamed as importedSecurityHotReload-<import_timestamp>.properties.bak .
|
Alternatively, you can use the mc-conf
tool’s security reset
and active-directory configure
tasks to
configure the Active Directory security provider from scratch,
but you need to stop the Management Center service for this configuration option.
See Management Center Configuration Tool for more information.
Enabling TLS/SSL for Active Directory
If your Active Directory service is using TLS/SSL protocol, use the following command line parameters for your Management Center deployment:
-
-Dhazelcast.mc.ad.ssl.trustStore
: Path to the truststore. This truststore needs to contain the public key of your Active Directory server. -
-Dhazelcast.mc.ad.ssl.trustStorePassword
: Password of the truststore. -
-Dhazelcast.mc.ad.ssl.trustStoreType
: Type of the truststore. Its default value is JKS. -
-Dhazelcast.mc.ad.ssl.trustManagerAlgorithm
: Name of the algorithm based on which the authentication keys are provided. System default is used if none is provided. You can find out the default by calling thejavax.net.ssl.TrustManagerFactory#getDefaultAlgorithm
method.
Next Steps
For details about the mc-conf
tool, see Management Center Configuration Tool.