Cloudera Docs » 2.3.4 » Knox Gateway Administration Guide
Knox Gateway Administration Guide
Also available as:
PDF
loading table of contents...

Example Active Directory Configuration

Typically the AD main.ldapRealm.userDnTemplate value looks slightly different than OpenLDAP. The value for main.ldapRealm.userDnTemplate is only required if AD authentication requires the full User DN.

[Note]Note

If Active Directory allows authentication based on the Common Name (CN) and password only, then no value will be required for main.ldapRealm.userDnTemplate.

<provider>
   
<role>authentication</role>  
<name>ShiroProvider</name>  
<enabled>true</enabled>   

<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>

<param>
<name>main.ldapContextFactory</name>
value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
   
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>  
</param>   

<param>
<name>main.ldapRealm.contextFactory.url</name>  
<value>ldap://active-directory-server-ip:389</value>
</param>   

<param>  
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>  
</param>   

<param>  
<name>main.ldapRealm.userSearchAttributeName</name>
<value>sAMAccountName</value>  
</param>   

<param>  
<name>main.ldapRealm.authorizationEnabled</name>
<value>true</value>  
</param>   

<param>  
<name>main.ldapRealm.contextFactory.systemUsername</name>
<value>distinguishedName of LDAP service account</value>  
</param>   

<param>
<name>main.ldapRealm.contextFactory.systemPassword</name>  
<value>hadoop</value>  
</param>   

<param>
<name>main.ldapRealm.contextFactory.systemAuthenticationMechanism</name>  
<value>simple</value>
</param>   

<param>
<name>main.ldapRealm.userObjectClass</name>  
<value>person</value>  
</param>   

<param>
<name>main.ldapRealm.searchBase</name>  
<value>Place In AD Tree to Begin Search – e.g. dc=hadoop,dc=apache,dc=org</value>  
</param>   

<param>  
<name>main.ldapRealm.groupObjectClass</name>
<value>group</value>  
</param>   

<param>  
<name>main.ldapRealm.memberAttribute</name>  
<value>memberOf</value>
</param>   

<param>  
<name>main.ldapRealm.memberAttributeValueTemplate</name>  
<value>uid={0}</value>  
</param>

<param>
<name>main.ldapRealm.groupIdAttribute</name>  
<value>cn</value>  
</param>   

<param>
<name>urls./**</name>  
<value>authcBasic</value>  
</param>   

<param>  
<name>sessionTimeout</name>  
<value>30</value>
</param>   

</provider>
© 2012–2021 by Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community