Configure Atlas authentication for LDAP
How to configure Atlas to use LDAP for user authentication.
The settings indicated in these steps apply to Atlas authentication and it is likely that the values will be the same as you use to configure other services on the cluster.
- In Cloudera Manager, select the Atlas service, then open the Configuration tab.
-
To display the authentication settings, type "authentication" in the Search
box. You may need to scroll down to see all of the LDAP settings.
-
Configure the following settings for LDAP authentication:
Grouping Property Description Sample values Enable LDAP Authentication Enable LDAP Authentication atlas.authentication.method.ldap
Determines whether LDAP is used for authentication. true
LDAP Authentication Type atlas.authentication.method.ldap.type
The LDAP type ( ldap
,ad
, ornone
).ldap
LDAP Server Location LDAP Server URL atlas.authentication.method.ldap.url
The LDAP server URL. ldap://localhost:389
orldaps://localhost:636
Bind Credentials LDAP Bind Username atlas.authentication.method.ldap.bind.dn
Full distinguished name (DN), including common name (CN), of an LDAP user account that has privileges to query the LDAP database of user accounts on behalf of Atlas. This could be a read-only LDAP user. cn=admin,ou=people,dc=example,dc=com
LDAP Bind DN Password
atlas.authentication.method.ldap.bind.password
Password for the account that can search for users. Secret123!
Group Lookup LDAP Group-Search Base atlas.authentication.method.ldap.groupSearchBase
The organizational unit (OU) and domain component (DC) properties for the LDAP search tree where Atlas searches for groups. (|(CN=Hdp_users)(CN=Hdp_admins))
LDAP Group-Search Filter atlas.authentication.method.ldap.groupSearchFilter
(Optional) Refine the scope of LDAP group search. The Groups-Search Filter is combined with the Group-Search Base to define the group lookup. Role Assignment LDAP Group-Role Attribute atlas.authentication.method.ldap.groupRoleAttribute
The attribute stored in the LDAP Group object to use to map LDAP groups to Atlas roles. cn
LDAP User Default Role atlas.authentication.method.ldap.default.role
Atlas role to assign to LDAP users. LDAP Search-Bind Authentication Mode LDAP DN atlas.authentication.method.ldap.base.dn
The Distinguished Name (DN) of the starting point of the LDAP search tree for directory server searches. You can also specify a User Search Filter to further reduce the scope of the search. dc=example,dc=com
LDAP User Search Filter atlas.authentication.method.ldap.user.searchfilter
The LDAP user search filter. Used with the User Search Base to further limit the scope of the search for a directory entry that matches the credentials of the user logging into Atlas. Use a user search filter along with a DN pattern so that the search filter provides a fallback if the DN pattern search fails.
LDAP Direct-Bind Authentication Mode LDAP User DN Pattern atlas.authentication.method.ldap.userDNpattern
Direct-bind authentication can be used if search is not required to determine the DN needed to bind to the LDAP server. Leave this property blank if LDAP DN is set. To use this authentication mode, all users must be under a single branch in the LDAP directory.
To search for a distinguished name where the uid attribute is the username at login, you might provide a pattern such as: uid={0},ou=users,dc=xasecure,dc=net
where
{0}
indicates the username of the authenticating user. If a user provides the username "foo" at the login page, Atlas searches for the DN:uid=foo,ou=People,dc=corp,dc=com
LDAP Referral LDAP Referral atlas.authentication.method.ldap.referral
*See below. Defaults to ignore
.follow
* There are three possible values for
atlas.authentication.method.ldap.referral
:follow
,throw
, andignore
. The recommended setting isfollow
.When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.
-
When this property is set to
follow
, the LDAP service provider processes all of the normal entries first, and then follows the continuation references. -
When this property is set to
throw
, all of the normal entries are returned in the enumeration first, before theReferralException
is thrown. By contrast, a "referral" error response is processed immediately when this property is set tofollow
orthrow
. -
When this property is set to
ignore
, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of LDAP, aPartialResultException
is returned when referrals are encountered while search results are processed.
-
- Click Save Changes.
- Restart the Atlas service.