User Authentication

You can configure cluster authentication. GridGain 9 supports basic and LDAP authentication.

Basic Authentication

To start using basic authentication on the cluster, you need to enable it and create an initial administrator user. By default, the role that grants administrator permissions is called admin, but you can change it in cluster configuration.

Here is an example of configuration that initializes the cluster and enables security on it:

Prepare cluster configuration file with security configuration:

ignite {
  security {
    enabled:true
	authentication {
	  providers=[
	    {
          name=default
          type=basic
          users=[
            {
              displayName=administrator
              password="ignite"
              roles=[
                system
              ]
              username=ignite
            }
          ]
        }
      ]
    }
  }
}

Initialize the cluster with the license and security configuration:

cluster init --name=sampleCluster --license=/license.conf --config-files=/cluster-config.conf

When cluster has been initialized, it has basic authorization configured for ignite user name and ignite password with system level access. However, by default security is disabled. To enable it:

cluster config update ignite.security.enabled=true

After authorization is enabled, you will be disconnected from the cluster and must reconnect to the cluster:

connect http://127.0.0.1:10300 --username ignite --password ignite

You can change the password for the default user by updating cluster configuration, for example:

cluster config update  ignite.security.authentication.providers.default.users.ignite.password=myPass

LDAP Authentication

To start using LDAP authentication on the cluster, add an authentication provider with the ldap type to the ignite.security.authentication.providers list in the cluster configuration. Below is an example configuration in the JSON format.

{
    "ignite": {
        "security": {
            "enabled": true,
            "authentication": {
                "providers": [
                    {
                        "name": "default",
                        "type": "basic",
                        "users": [
                            {
                                "displayName": "administrator",
                                "password": "ignite",
                                "roles": [
                                    "system"
                                ],
                                "username": "ignite"
                            }
                        ]
                    },
                    {
                        "name": "ldap",
                        "type": "ldap",
                        "url": "ldap://ldap.example.com:1389",
                        "userSearch": {
                            "dn": "ou=People,dc=example,dc=com",
                            "scope": "SUB_TREE",
                            "filter": "",
                            "groupAttribute": "memberof"
                        },
                        "groupSearch": {
                            "dn": "ou=Groups,dc=example,dc=com",
                            "scope": "SUB_TREE",
                            "filter": "",
                            "userAttribute": "member"
                        },
                        "roleMapping": [
                            {
                                "groupName": "Database Administrators",
                                "roles": ["system"]
                            },
                            {
                                "groupName": "Software Developers",
                                "roles": ["developer"]
                            }
                        ]
                    }
                ]
            }
        }
    }
}

When a user authenticates, GridGain binds to the LDAP server as cn=<username>,<userSearch.dn> with the provided password, and then resolves the user’s groups.

Parameter Description

Parameter	Description
`name`	The name of the authentication provider.
`type`	The authentication provider type. Must be `ldap` for LDAP authentication.
`url`	The URL of the LDAP server. Supported URL schemes: `ldap`, `ldaps`.
`userSearch`	Configuration of the user search. GridGain searches for the authenticated user in the specified container.
`userSearch.dn`	The DN of the container to search for users.
`userSearch.scope`	The scope of the search. Possible values: `SUB_TREE`, `ONE_LEVEL`, `BASE`. Default value: `SUB_TREE`.
`userSearch.filter`	A filter used when searching for the user. `{0}` is replaced by the username provided when searching. Default value: `(uid={0})`.
`userSearch.groupAttribute`	An attribute of the user entry checked for group membership. If not empty, GridGain reads the user’s groups from this attribute and ignores `groupSearch`.
`groupSearch`	Configuration of the group search. Used to find the user’s groups when `userSearch.groupAttribute` is empty.
`groupSearch.dn`	The DN of the container to search for groups.
`groupSearch.scope`	The scope of the search. Possible values: `SUB_TREE`, `ONE_LEVEL`, `BASE`. If `ONE_LEVEL` is specified, only searches objects directly contained within the dn. If `SUB_TREE` is specified, searches all objects contained under the dn. If `BASE` is specified, the specified group is searched. Default value: `SUB_TREE`.
`groupSearch.filter`	A filter used when searching for the user’s groups. `{0}` is replaced by the value of the user attribute defined in `groupSearch.userAttribute`. Default value: `(\|(member={0})(memberOf={0})(memberUid={0}))`.
`groupSearch.userAttribute`	The user attribute provided as the parameter to the filter. Empty by default; in this case, the user DN in the `cn=<username>,<userSearch.dn>` form is used as the filter parameter. If the attribute has multiple values on a user entry, GridGain performs a group lookup for each value and returns all matched groups combined.
`roleMapping`	A list of mappings of LDAP groups to GridGain roles. Groups without a mapping are mapped to roles with matching names.
`roleMapping.groupName`	The name of the LDAP group to map. When groups are resolved through `groupSearch`, the group name is the value of the `cn` attribute of the group entry.
`roleMapping.roles`	The list of GridGain roles assigned to users in the group.

name

The name of the authentication provider.

type

The authentication provider type. Must be ldap for LDAP authentication.

url

The URL of the LDAP server. Supported URL schemes: ldap, ldaps.

userSearch

Configuration of the user search. GridGain searches for the authenticated user in the specified container.

userSearch.dn

The DN of the container to search for users.

userSearch.scope

The scope of the search. Possible values: SUB_TREE, ONE_LEVEL, BASE. Default value: SUB_TREE.

userSearch.filter

A filter used when searching for the user. {0} is replaced by the username provided when searching. Default value: (uid={0}).

userSearch.groupAttribute

An attribute of the user entry checked for group membership. If not empty, GridGain reads the user’s groups from this attribute and ignores groupSearch.

groupSearch

Configuration of the group search. Used to find the user’s groups when userSearch.groupAttribute is empty.

groupSearch.dn

The DN of the container to search for groups.

groupSearch.scope

The scope of the search. Possible values: SUB_TREE, ONE_LEVEL, BASE. If ONE_LEVEL is specified, only searches objects directly contained within the dn. If SUB_TREE is specified, searches all objects contained under the dn. If BASE is specified, the specified group is searched. Default value: SUB_TREE.

groupSearch.filter

A filter used when searching for the user’s groups. {0} is replaced by the value of the user attribute defined in groupSearch.userAttribute. Default value: (|(member={0})(memberOf={0})(memberUid={0})).

groupSearch.userAttribute

The user attribute provided as the parameter to the filter. Empty by default; in this case, the user DN in the cn=<username>,<userSearch.dn> form is used as the filter parameter. If the attribute has multiple values on a user entry, GridGain performs a group lookup for each value and returns all matched groups combined.

roleMapping

A list of mappings of LDAP groups to GridGain roles. Groups without a mapping are mapped to roles with matching names.

roleMapping.groupName

The name of the LDAP group to map. When groups are resolved through groupSearch, the group name is the value of the cn attribute of the group entry.

roleMapping.roles

The list of GridGain roles assigned to users in the group.

You can provide LDAP configuration in a similar way you provide basic authentication configuration, by passing the configuration file during cluster initialization, or by updating the configuration of a running cluster with the cluster config update command.

© 2026 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.

Last updated on Jun 10, 2026