Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Enabling User Authentication with Search Bind

Settings related to LDAP are in the LDAP section of the Hue configuration file, /etc/hue/conf/hue.ini:

[desktop] 
    [[ldap]]

There are two ways to authenticate users by using the LDAP directory service in Hue:

  • Search Bind (default)

    Setting the search_bind_authentication property to true in /etc/hue/conf/hue.ini enables LDAP search using the bind credentials specified for the bind_dn and bind_password properties.

    Search bind performs an LDAP search against the directory service and then binds the results by using the found Distinguished Name (DN) and provided password. The search process starts from the base DN specified for the base_dn property and continues to search the base DN for an entry with an attribute that matches the specified in user_name_attr of the username provided at login.

    You can restrict the results of this search process by using the user_filter (default value objectclass=*) and user_name_attr (default value sAMAccountName) properties in the [desktop] > [[ldap]] > [[[users]]] section of /etc/hue/conf/hue.ini.

    If you use the default values of user_filter and user_name_attr, the LDAP search filter appears as follows, where <username> is the the user name provided on the Hue login page:

    (&(objectClass=*)(sAMAccountName=<username>))
  • Direct Bind

    Setting the search_bind_authentication property to false in /etc/hue/conf/hue.ini enables the LDAP direct bind mechanism to authenticate users. Hue binds to the LDAP server using the user name and password provided on the login page.

    Depending on the value of the nt_domain property, there are two ways that direct bind works:

    • If nt_domain is specified, the nt_domain property is intended to be used only with Active Directory (AD) service.

      This property allows Hue to authenticate with AD without having to follow LDAP references to other partitions.

      Hue forms the User Principal Name (UPN) as a concatenation of the user name provided on the Hue login page and the nt_domain property value: for example, <username>@<nt_domain>. The ldap_username_pattern property is ignored.

    • If nt_domain is not specified, the nt_domain property is intended to be used for all other directory services.

      Without the nt_domain property specified, the ldap_username_pattern appears as follows, where <username> is the user name provided on the Hue login page:

      uid=<username>,ou=People,dc=mycompany,dc=com