This is a prerelease version.

View latest

Active Directory

You can use your existing Active Directory server for authentication and authorization in Management Center.

Setting Up the Active Directory Security Provider

To set up Active Directory, you need to configure settings either in the UI or the hz-mc conf tool.

  • UI

  • mc-conf

To set up the local security provider in the UI, go to Settings > Security Providers > Active Directory.

Before saving your configuration, you can test it by clicking the Test button. The user you test with needs to be a member of one of the groups you have configured for the Management Center.

Use the active-directory configure task. For help, use the -h flag or see Management Center Configuration Tool.

Linux and Mac
hz-mc conf active-directory configure
Windows
mc-conf.bat active-directory configure
  • URL: URL of your Active Directory server, including the schema (ldap:// or ldaps://) and port.

  • Domain: Domain of your organization on Active Directory.

  • User Search Filter: LDAP search filter expression to search for the users. {0} will be replaced with username@domain and {1} will be replaced with only the username. You can use both placeholders, only one of them or none in your search filter. For example, (&(objectClass=user)(userPrincipalName={0})) searches for a username that matches with the userPrincipalName attribute and member of the object class user.

    You can use the hazelcast.mc.ldap.timeout property to specify both connect and read timeout values for Active Directory search queries. It is in milliseconds and its default value is 3000 milliseconds.
  • Admin Groups: Members of this group and its nested groups have admin privileges on the Management Center. To use more than one group, separate them with a semicolon (;).

  • User Groups: Members of this group and its nested groups have read and write privileges on the Management Center. To use more than one group, separate them with a semicolon (;).

  • Read-only User Groups: Members of this group and its nested groups have only read privilege on the Management Center. To use more than one group, separate them with a semicolon (;).

  • Metrics-only Groups: Members of this group and its nested groups have the privilege to see only the metrics on Management Center. To use more than one group, separate them with a semicolon (;).

  • Nested Group Search: Disable if you have a large LDAP group structure and it takes a long time to query all nested groups during login.

Creating and Managing Users

To create and manage additional users, you must configure them in Active Directory.

When creating users, be sure to give them a valid role. See User Management.

Updating Active Directory Settings

Once configured, Active Directory settings are saved in a local database managed by Management Center. If you need to update your settings afterwards, you need to provide the import properties file under <hazelcast-mc>/import/securityHotReload.properties, and then click on the Reload Security Config button on the login page. The securityHotReload.properties should contain the following properties:

url=<active directory instance url>
domain=<domain>
adminGroup=<Admin group(s). Use ';' to separate multiple groups>
userGroup=<Read-write group(s). Use ';' to separate multiple groups>
readonlyUserGroup<Read-only group(s). Use ';' to separate multiple groups>
metricsOnlyGroup<Metrics-only group(s). Use ';' to separate multiple groups>
The Reload Security Config button will only appear when the <hazelcast-mc>/import/securityHotReload.properties file is present. After a successful import, the file will be renamed as importedSecurityHotReload-<import_timestamp>.properties.bak.

Alternatively, you can use the hz-mc conf tool’s security reset and active-directory configure tasks to configure the Active Directory security provider from scratch, but you need to stop the Management Center service for this configuration option. See Management Center Configuration Tool for more information.

Enabling TLS/SSL for Active Directory

If your Active Directory service is using TLS/SSL protocol, use the following command line parameters for your Management Center deployment:

  • -Dhazelcast.mc.ldap.ad.trustStore: Path to the truststore. This truststore needs to contain the public key of your Active Directory server.

  • -Dhazelcast.mc.ldap.ad.trustStorePassword: Password of the truststore.

  • -Dhazelcast.mc.ldap.ad.trustStoreType: Type of the truststore. Its default value is JKS.

  • -Dhazelcast.mc.ldap.ad.trustManagerAlgorithm: Name of the algorithm based on which the authentication keys are provided. System default is used if none is provided. You can find out the default by calling the javax.net.ssl.TrustManagerFactory#getDefaultAlgorithm method.

Next Steps

For details about the hz-mc conf tool, see Management Center Configuration Tool.