LATEST VERSION: 8.2.7 - CHANGELOG
Pivotal GemFire® v8.2

Using an LDAP Server for Client Authentication

Using an LDAP Server for Client Authentication

An LDAP server can be used by a GemFire cache server using the sample LDAP implementation provided in GemFire server product.

See the Security chapter in the GemFire User's Guide to verify authentication credentials for native clients attempting to connect to the GemFire servers and sending username and passwords using the sample UserPassword scheme.

Note: The username and password with this sample implementation is sent out in plaintext. For better security, either turn on credential encryption using Diffie-Hellman key exchange, or use a scheme like PKCS.

When a client initiates a connection to a cache server, the client submits its credentials to the server and the server submits those credentials to the LDAP server. To be authenticated, the credentials for the client need to match one of the valid entries in the LDAP server. The credentials can consist of the entry name and the corresponding password. If the submitted credentials result in a connection to the LDAP server because the credentials match the appropriate LDAP entries, then the client is authenticated and granted a connection to the server. If the server fails to connect to the LDAP server with the supplied credentials then an AuthenticationFailedException is sent to the client and its connection with the cache server is closed.

Configuration Settings

In the gfcpp.properties file for the client, specify the UserPasswordAuthInit callback, the username, and the password, like this:
security-client-auth-library=securityImpl
security-client-auth-factory=createUserPasswordAuthInitInstance
security-username=<username>
security-password=<password>

For server side settings and LDAP server configuration, see the Security chapter in the Pivotal GemFire User's Guide.