Enabling User Authentication with Search Bind
Settings related to LDAP are in the LDAP section of the Hue configuration file,
/etc/hue/conf/hue.ini
:
[desktop] [[ldap]]
There are two ways to authenticate users by using the LDAP directory service in Hue:
Search Bind (default)
Setting the search_bind_authentication property to
true
in/etc/hue/conf/hue.ini
enables LDAP search using the bind credentials specified for the bind_dn and bind_password properties.Search bind performs an LDAP search against the directory service and then binds the results by using the found Distinguished Name (DN) and provided password. The search process starts from the base DN specified for the base_dn property and continues to search the base DN for an entry with an attribute that matches the specified in user_name_attr of the username provided at login.
You can restrict the results of this search process by using the
user_filter
(default valueobjectclass=*
) anduser_name_attr
(default valuesAMAccountName
) properties in the[desktop] > [[ldap]] > [[[users]]]
section of/etc/hue/conf/hue.ini
.If you use the default values of
user_filter
anduser_name_attr
, the LDAP search filter appears as follows, where<username>
is the user name provided on the Hue login page:(&(objectClass=*)(sAMAccountName=<username>))
Direct Bind
Setting the search_bind_authentication property to
false
in/etc/hue/conf/hue.ini
enables the LDAP direct bind mechanism to authenticate users. Hue binds to the LDAP server using the user name and password provided on the login page.Depending on the value of the nt_domain property, there are two ways that direct bind works:
If nt_domain is specified, the nt_domain property is intended to be used only with Active Directory (AD) service.
This property allows Hue to authenticate with AD without having to follow LDAP references to other partitions.
Hue forms the User Principal Name (UPN) as a concatenation of the user name provided on the Hue login page and the nt_domain property value: for example,
<username>@<nt_domain>
. The ldap_username_pattern property is ignored.If nt_domain is not specified, the nt_domain property is intended to be used for all other directory services.
Without the nt_domain property specified, the ldap_username_pattern appears as follows, where <username> is the user name provided on the Hue login page:
uid=<username>,ou=People,dc=mycompany,dc=com