My client has implemented an RBAC model in Active Directory, using roles and nested functional groups. It's all good.
My client now wants to assign functional groups to Cassandra roles, but the DataStax documentation is somewhat lacking here, and our first impression was that nested groups were out of the question.
Help!
A solution is to use one of Windows Active Directory's magic numbers. Here is an excerpt of the deployed dse.yaml file:
ldap_options:
group_search_base: OU=Groups,DC=myorg,DC=org
group_search_type: directory_search
group_search_filter: (member:1.2.840.113556.1.4.1941:={0})
group_name_attribute: cn
The documentation doesn't clearly explain this, but it appears that {0} expands to the entire distinguished name (DN), which is needed for the nested member search given in group_search_filter.