Configure Atlas authentication for LDAP

In Cloudera Manager, select the Atlas service, then open the Configuration tab.

To display the authentication settings, type "authentication" in the Search box. You may need to scroll down to see all of the LDAP settings.

note

Hadoop groups were not included during user/group lookup, because Atlas queries the UserGroupInformation for that specific user at the Operating System level (org.apache.hadoop.security.ShellBasedUnixGroupsMapping package). At the time of logging into the Atlas UI, it was seen that "no such user as Gen.tleman" exception was thrown. When user selects the LDAP configuration from Cloudera Manager, they must configure (org.apache.hadoop.security.LdapGroupsMapping package) in core-site.xml file and also add atlas.authentication.ugi-groups.include-hadoop-groups=true property.

Later, the user can sync the Hadoop group and create entity and classification.

Include the property atlas.authentication.ugi-groups.include-hadoop-groups=true in Atlas safety valve (atlas-application.properties file), as it takes groups from Hadoop LDAP-based group mapping.

Configure the following settings for LDAP authentication:


Grouping	Property	Description	Sample values
Enable LDAP Authentication	Enable LDAP Authentication `atlas.authentication.method.ldap`	Determines whether LDAP is used for authentication.	`true`
Enable LDAP Authentication	LDAP Authentication Type `atlas.authentication.method.ldap.type`	The LDAP type (`ldap`, `ad`, or `none`).	`ldap`
LDAP Server Location	LDAP Server URL `atlas.authentication.method.ldap.url`	The LDAP server URL.	`ldap://localhost:389` or `ldaps://localhost:636`
Bind Credentials	LDAP Bind Username `atlas.authentication.method.ldap.bind.dn`	Full distinguished name (DN), including common name (CN), of an LDAP user account that has privileges to query the LDAP database of user accounts on behalf of Atlas. This could be a read-only LDAP user.	`cn=admin,ou=people,dc=example,dc=com`
Bind Credentials	LDAP Bind DN Password `atlas.authentication.method.ldap.bind.password`	Password for the account that can search for users.	`Secret123!`
Group Lookup	LDAP Group-Search Base `atlas.authentication.method.ldap.groupSearchBase`	The organizational unit (OU) and domain component (DC) properties for the LDAP search tree where Atlas searches for groups.	`(\|(CN=Hdp_users)(CN=Hdp_admins))`
Group Lookup	LDAP Group-Search Filter `atlas.authentication.method.ldap.groupSearchFilter`	(Optional) Refine the scope of LDAP group search. The Groups-Search Filter is combined with the Group-Search Base to define the group lookup.
Role Assignment	LDAP Group-Role Attribute `atlas.authentication.method.ldap.groupRoleAttribute`	The attribute stored in the LDAP Group object to use to map LDAP groups to Atlas roles.	`cn`
Role Assignment	LDAP User Default Role `atlas.authentication.method.ldap.default.role`	Atlas role to assign to LDAP users.
LDAP Search-Bind Authentication Mode	LDAP DN `atlas.authentication.method.ldap.base.dn`	The Distinguished Name (DN) of the starting point of the LDAP search tree for directory server searches. You can also specify a User Search Filter to further reduce the scope of the search.	`dc=example,dc=com`
LDAP Search-Bind Authentication Mode	LDAP User Search Filter `atlas.authentication.method.ldap.user.searchfilter`	The LDAP user search filter. Used with the User Search Base to further limit the scope of the search for a directory entry that matches the credentials of the user logging into Atlas. Use a user search filter along with a DN pattern so that the search filter provides a fallback if the DN pattern search fails.
LDAP Direct-Bind Authentication Mode	LDAP User DN Pattern `atlas.authentication.method.ldap.userDNpattern`	Direct-bind authentication can be used if search is not required to determine the DN needed to bind to the LDAP server. Leave this property blank if LDAP DN is set. To use this authentication mode, all users must be under a single branch in the LDAP directory.	To search for a distinguished name where the `uid` attribute is the username at login, you might provide a pattern such as: `uid={0},ou=users,dc=xasecure,dc=net` where `{0}` indicates the username of the authenticating user. If a user provides the username "foo" at the login page, Atlas searches for the DN: `uid=foo,ou=People,dc=corp,dc=com`
LDAP Referral	LDAP Referral `atlas.authentication.method.ldap.referral`^*	See below. Defaults to `ignore`.	`follow`

^* There are three possible values for atlas.authentication.method.ldap.referral: follow, throw, and ignore. The recommended setting is follow.

When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

When this property is set to follow, the LDAP service provider processes all of the normal entries first, and then follows the continuation references.
When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.
When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of LDAP, a PartialResultException is returned when referrals are encountered while search results are processed.

Click Save Changes.

Restart the Atlas service.