LDAP integration (stateless authentication)
LDAP is for those who want to manage their Matillion ETL users via an external directory. Using LDAP removes the ability to use OpenID and so those following the advice in this section should ignore the advice in the similar OpenID integration documentation.
It may be instructive to read the documentation on LDAP Integration for users who are familiar with setting up LDAP within the External Security dialog in Matillion ETL before attempting these changes.
- SSH into your Matillion ETL instance.
- Open the following file for editing:
/usr/share/emerald/WEB-INF/classes/Emerald.properties
. -
Ensure the following variables are set:
Variable Description STATELESS_CONFIGURATION Must be set to true STATELESS_LDAP_ENABLE Must be set to true STATELESS_LDAP_NAME The name of a user to make the initial bind to the directory. This could be any LDAP user. For Active Directory, the name must include a realm using the form user@REALM
.SEC_STATELESS_LDAP_PASSWORD The password for the user to make the initial bind to the directory. We advise against using "special characters" in passwords. STATELESS_LDAP_KEY STATELESS_LDAP_URL The location of the directory server. ldap://<LDAP-server>:<port>
. Use port 389 for non-SSL and port 636 for SSL.STATELESS_LDAP_BASES The part of the directory tree to begin searching for users. Typically users are created in the Users Container/OU. STATELESS_LDAP_SEARCH The attribute to search for user names. STATELESS_LDAP_ROLEBASE The part of the directory tree to begin searching for groups/roles similar to User Base above, change this appropriately if Matillion ETL user groups are in a different container. STATELESS_LDAP_ROLENAME The name of the attribute containing the role name. STATELESS_LDAP_ROLESEARCH The attribute to search for roles. STATELESS_LDAP_ACCESS The role that allows access to the Matillion ETL application. e.g. Emerald STATELESS_LDAP_ADMIN The role that allows administrator access to the Matillion ETL application. e.g. Emerald_Admin STATELESS_LDAP_PROJECTADMIN The role that allows Project administrator access to the Matillion ETL application. e.g. Emerald_Project_Admin STATELESS_LDAP_API The role that allows Matillion ETL API access. e.g. Emerald_API STATELESS_LDAP_READONLY The role that allows read-only access to the Matillion ETL application. e.g. Emerald_Read_Only STATELESS_LDAP_NESTED false STATELESS_LDAP_ROLESUBTREE Sets the scope of the role search. Select true if you wish to search the entire subtree, rooted at the "User Base" entry. Selecting false (default) requests a lone top-level search. STATELESS_LDAP_USERSUBTREE Sets the scope of the user search. Select true if you wish to search the entire subtree, rooted at the "User Base" entry. Selecting false (default) requests a lone top-level search. VARIABLE_AUTHENTICATION Must be set to true -
Save and close the file.
- Open the following file for editing:
/etc/sysconfig/tomcat
. -
Ensure the following variables are set:
MTLN_PERSISTENCE_URL_POSTGRES="jdbc:postgresql://<DatabaseAddress>:<Port>/DatabaseName" MTLN_PERSISTENCE_USERNAME_POSTGRES=<username> MTLN_PERSISTENCE_PASSWORD_POSTGRES=<password>
Where the
MTLN_PERSISTENCE_URL_POSTGRES
address points to the fully qualified domain name (FQDN) of your persistence database and a port may or may not be required, depending on your setup. HA/clustered deployments will be required to provide details for their external Postgres database. For single-node deployments, this database is typically on the instance itself and should have the following values:MTLN_PERSISTENCE_URL_POSTGRES="jdbc:postgresql://127.0.0.1/postgres" MTLN_PERSISTENCE_USERNAME_POSTGRES=postgres MTLN_PERSISTENCE_PASSWORD_POSTGRES=postgres
-
Save and close the file.
- If this is done before launching the instance then there is no need for a restart. Otherwise, restart your tomcat service for your changes to take effect:
systemctl restart tomcat