If all you want to perform is a simple bind to an LDAP service, then why use either? JPam uses JAAS under the covers and jldap is a full API for managing a depot. Neither solution looks particularly optimized.
If ldap integration is a must-have, then why not just use JNDI? Create a singleton factory that sets up the environment, including a connection pool, to create an initial context. Then, use that to create a per-Thrift connection binding context, with credentials passed in from the client? However, I still think the simplest, fastest solution is to use a Cassandra-managed user realm, similar to RDBMS systems. That keeps the connection opening phase within the Cassandra engine and isn't susceptible to the service being unavailable. As well, if Cassandra manages the user realm on a per-keyspace basis, then authentication and authorization can be performed simultaneously and the keyspace argument can be dropped from the Thrift API calls. Configuring Cassandra to handle LDAP binding will require configuring the connection url, protocol, search scope, base DN, keystore file, etc. And of course, if Cassandra has LDAP integration, it should probably offer other authentication service support, like RADIUS and TACACS+, etc. It's a can of worms, to be sure. While on the topic of authentication, I still like the idea of opening a connection with credentials, as opposed to requiring a separate transaction to login. That's an unnecessary round trip. I don't see why an overloaded method to connect is a bad thing, especially when the anonymous connection will eventually be deprecated. At least, I assume it will be deprecated by the time Cassandra has a fully fleshed out authentication realm? Robin. -----Original Message----- From: news [mailto:[email protected]] On Behalf Of Ted Zlatanov Sent: November 24, 2009 5:24 PM To: [email protected] Subject: Re: Cassandra access control Looks like I could use: PAM auth: http://jpam.sourceforge.net/ LDAP/AD auth: http://www.openldap.org/jldap/ The first is definitely OK (Apache license), but I'm not sure about the second one (OpenLDAP public license). Looks BSDish to me. It claims to support Windows auth and is officially provided by the OpenLDAP project. Has anyone used it? Thanks Ted
