User Authentication

You can configure cluster authentication. In the Community edition, basic authentication is available, and Enterprise and Ultimate editions add support for LDAP authentication.

Basic Authentication

To start using basic authentication on the cluster, you need to enable it and create an initial administrator user. By default, the role that grants administrator permissions is called admin, but you can change it in cluster configuration.

Here is an example of configuration that initializes the cluster and enables security on it:

Prepare cluster configuration file with security configuration:

ignite {
  security {
    enabled:true
	authentication {
	  providers=[
	    {
          name=default
          type=basic
          users=[
            {
              displayName=administrator
              password="ignite"
              roles=[
                system
              ]
              username=ignite
            }
          ]
        }
      ]
    }
  }
}

Initialize the cluster with the license and security configuration:

cluster init --name=sampleCluster --license=/license.conf --config-files=/cluster-config.conf

When cluster has been initialized, it has basic authorization configured for ignite user name and ignite password with system level access. However, by default security is disabled. To enable it:

cluster config update ignite.security.enabled=true

After authorization is enabled, you will be disconnected from the cluster and must reconnect to the cluster:

connect http://127.0.0.1:10300 --username ignite --password ignite

You can change the password for the default user by updating cluster configuration, for example:

cluster config update  ignite.security.authentication.providers.default.users.ignite.password=myPass

LDAP Authentication

To start using LDAP authentication on the cluster, you need to enable LDAP security provider on the cluster. Below is the configuration in the JSON format.

{
    "ignite" : {
        "ldap: : {
            "url" : "ldap://server:port",
            "userSearch" : {
                "dn" : "*******",
                "scope" : <SUB_TREE|ONE_LEVEL|BASE>,
                "filter" : "",
                "groupAttribute" : "memberof"
            },
            "groupSearch" : {
                "dn" : "*****",
                "scope" : "<SUB_TREE|ONE_LEVEL|BASE>",
                "filter" : "",
                "userAttribute" : ""
            },
            "roleMapping" : {
                "*Ldap group*" : [list of GG roles]
            }
        }
    }
}

Parameter Description

Parameter	Description
`url`	The URL of the LDAP server.
`userSearch`	Configuration of user-specific LDAP authentication. If configured, GridGain will search for specified users and then match them to required group attributes.
`userSearch.dn`	The DN of the container to search for users.
`userSearch.scope`	The scope of the search. Possible values: `SUB_TREE`, `ONE_LEVEL`, `BASE`.
`userSearch.filter`	A filter used when searching for the username. Default value: (uid={0}), with the username provided when searching.
`userSearch.groupAttribute`	An attribute checked for group membership. Ignored if `groupSearch` is specified.
`groupSearch`	If specified, users are searched only in the matching groups.
`groupSearch.dn`	The DN of the container to search.
`groupSearch.scope`	The scope of the search. Possible values: `SUB_TREE`, `ONE_LEVEL`, `BASE`. If `ONE_LEVEL` is specified, only searches objects directly contained within the dn. If `SUB_TREE` is specified, searches all objects contained under the dn. If `BASE` is specified, the specified group is searched. Default value: `SUB_TREE`.
`groupSearch.filter`	A filter used when searching for the username. If empty, all `group`, `groupOfNames`, `groupOfUniqueNames`, or `posixGroup` are searched. If `{0}` is specified, it is replaced by user attribute defined in group_search.userAttribute. Empty by default.
`groupSearch.userAttribute`	The user attribute provided as the parameter to the filter. Empty by default.
`roleMapping`	Mapping of LDAP groups to GridGain roles. If not specified, the groups are mapped to roles with matching names.

url

The URL of the LDAP server.

userSearch

Configuration of user-specific LDAP authentication. If configured, GridGain will search for specified users and then match them to required group attributes.

userSearch.dn

The DN of the container to search for users.

userSearch.scope

The scope of the search. Possible values: SUB_TREE, ONE_LEVEL, BASE.

userSearch.filter

A filter used when searching for the username. Default value: (uid={0}), with the username provided when searching.

userSearch.groupAttribute

An attribute checked for group membership. Ignored if groupSearch is specified.

groupSearch

If specified, users are searched only in the matching groups.

groupSearch.dn

The DN of the container to search.

groupSearch.scope

The scope of the search. Possible values: SUB_TREE, ONE_LEVEL, BASE. If ONE_LEVEL is specified, only searches objects directly contained within the dn. If SUB_TREE is specified, searches all objects contained under the dn. If BASE is specified, the specified group is searched. Default value: SUB_TREE.

groupSearch.filter

A filter used when searching for the username. If empty, all group, groupOfNames, groupOfUniqueNames, or posixGroup are searched. If {0} is specified, it is replaced by user attribute defined in group_search.userAttribute. Empty by default.

groupSearch.userAttribute

The user attribute provided as the parameter to the filter. Empty by default.

roleMapping

Mapping of LDAP groups to GridGain roles. If not specified, the groups are mapped to roles with matching names.

You can provide LDAP configuration in a similar way you provide basic authentication configuration.

© 2026 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.

Last updated on Feb 20, 2026