Hortonworks Docs » Hortonworks Data Platform 3.1.5 » Configuring Apache Ranger Authentication with UNIX, LDAP, or AD
Configuring Apache Ranger Authentication with UNIX, LDAP, or AD
Also available as:
PDF

Configure Ranger Authentication for LDAP

How to configure Ranger to use LDAP for user authentication.

You can configure Ranger authentication in two ways:
  • During installation: Ranger Customize Services > Advanced tab > Ranger Settings
  • After installation: Ambari > Ranger > Configs > Advanced > Ranger Settings
This portion of the Add Service Wizard shows the LDAP authentication settings.
  1. From the Ranger Settings tab:
    1. Enter the external URL, e.g. http://my-vm.hortonworks.com:6080.
    2. Under Authentication method, select LDAP.
    3. Under HTTP enabled, make a selection. This option enables you to select HTTP/HTTPS communication for Ranger admin console. If you disable HTTP, only HTTPS is allowed. HTTP is enabled by default.
  2. From the LDAP Settings tab, enter the following values:
    Property Description Default value Sample values
    Group Search Base {{ranger_ug_ldap_group_searchbase}}
    Group Search Filter {{ranger_ug_ldap_group_searchfilter}}
    LDAP URL {{ranger_ug_ldap_url}}
    Bind User {{ranger_ug_ldap_bind_dn}}
    Bind User Password N/A
    User Search Filter (uid={0})
    ranger.ldap.base.dn dc=example,dc=com
    ranger.ldap.group.roleattribute cn
    ranger.ldap.referral See below. ignore follow|throw|ignore
    ranger.ldap.user.dnpattern uid={0},ou=users,dc=xasecure,dc=net

    There are three possible values for ranger.ldap.ad.referral: follow, throw, and ignore. The recommended setting is follow.

    When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

    • When this property is set to follow, the AD service provider processes all of the normal entries first, and then follows the continuation references.

    • When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.

    • When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, a PartialResultException is returned when referrals are encountered while search results are processed.

© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community