Configuring Cloudbreak for LDAP/AD Authentication
By default Cloudbreak uses an internal system as the user store for authentication (enabled by using CloudFoundry UAA). If you would like to configure LDAP or Active Directory (AD) external authentication, you need to:
- Collect the following information about your LDAP/AD setup
- Configure Cloudbreak to work with that LDAP/AD setup
LDAP/AD Information
The following table details the properties and values that you need to know about your LDAP/AD environment on order to use the LDAP/AD with Cloudbreak:
| Parameter | Description | Example |
|---|---|---|
| base | ||
| url | The LDAP url with port | ldap://10.0.3.128:389/ |
| userDn | Enter the root Distinguished Name to search in the directory for users. | cn=Administrator,ou=srv,dc=hortonworks,dc=local |
| password | Enter your root Distinguished Name password. | MyPassword1234! |
| searchBase | Enter your LDAP user search base. This defines the location in the directory from which the LDAP search begins. | ou=Users,dc=hortonworks,dc=local |
| searchFilter | Enter the attribute for which to conduct a search on the user base. | mail={0} |
| groups | ||
| searchBase | Enter your LDAP group search base. This defines the location in the directory from which the LDAP search begins. | ou=Groups,dc=hortonworks,dc=local |
| groupSearchFilter | Enter the attribute for which to conduct a search on the group base. | member={0} |
Configuring Cloudbreak for LDAP/AD
There are two parts to configuring Cloudbreak for LDAP/AD:
- Configuring LDAP/AD user authentication for Cloudbreak
- Configuring LDAP/AD group authorization for Cloudbreak
Configure User Authentication
Configure LDAP/AD user authentication for Cloudbreak by using these steps.
Steps
- On the Cloudbreak host, browse to
/var/lib/cloudbreak-deployment. -
Create a new file called
uaa-changes.yml.The name of this file can be customized by setting the following in Profile:
export UAA_SETTINGS_FILE=myldap.yml -
In the yml file enter the following using your LDAP/AD information. Next, save the file and restart Cloudbreak.
spring_profiles: postgresql,ldap
ldap:
profile:
file: ldap/ldap-search-and-bind.xml
base:
url: ldap://10.0.3.138:389
userDn: cn=Administrator,ou=srv,dc=hortonworks,dc=local
password: ’mypassword’
searchBase: ou=Users,dc=hortonworks,dc=local
searchFilter: mail={0}
groups:
file: ldap/ldap-groups-map-to-scopes.xml
searchBase: ou=Groups,dc=hortonworks,dc=local
searchSubtree: false
maxSearchDepth: 1
groupSearchFilter: member={0}
autoAdd: true
Configure Group Authorization
Once user authentication is configured, you need to configure which group(s) can access Cloudbreak. Users (once authenticated) will be granted permission to access Cloudbreak and use the capabilities of Cloudbreak based on their group member. The following describes how to create (i.e. execute-and-map) a group authorization and how to remove (i.e. delete-mapping) an authorization.
To create a group authorization, execute the following (for example: to add “Analysts” group):
cbd util execute-ldap-mapping cn=Analysts,ou=Groups,dc=hortonworks,dc=local
To remove a group authorization, execute the following (for example: to remove “Analysts” group):
cbd util delete-ldap-mapping cn=Analysts,ou=Groups,dc=hortonworks,dc=local