LDAP server password change with zero downtime

Steps

Please note, you have two options to change the password in DSE:

1. Modify the LDAP password in dse.yaml, then roll restart the nodes.
2. Or, you can make the change dynamically using JMX. Instructions are located here. Please also ensure that you update dse.yaml so that the password is updated on the next restart.

In order to change your LDAP password with zero downtime, you have the following options:

Use a Second Bind Account (Zero Downtime)

1. Create a new LDAP service account (e.g., [`dse_bind_v2`])
2. Grant the new account identical permissions to the existing bind account
3. Update DSE configuration files ([`cassandra.yaml`] / [`dse.yaml`]) to reference the new account credentials
4. Perform a rolling restart of the cluster (one node at a time)
5. Verify all nodes authenticate successfully with the new account
6. Remove or rotate the old account after confirming stable operation

Temporary Dual Password (if LDAP supports it)

1. Configure LDAP to accept both old and new passwords simultaneously
2. Update DSE node configurations gradually with the new password
3. Perform rolling restarts across the cluster
4. Remove the old password from LDAP after all nodes are updated

Fast Rolling Change (Small Disruption Expected)

1. Change the LDAP password on the existing account
2. Immediately update DSE configuration files on all nodes
3. Execute a rolling restart across the cluster
4. Monitor for authentication failures during the transition window
5. Verify all nodes recover after restart

Increase LDAP Cache TTL (Temporary Buffer) (Possibility of Disruption if Cache Flushes)

1. Before password rotation, increase [`credentials_validity_in_ms`] and [`search_validity_in_ms`] in DSE configuration
2. Restart nodes to apply cache settings
3. Proceed with password rotation using one of the above methods
4. Restore original cache settings after successful rotation