Cloudera Docs

Configuring user authentication using LDAP

LDAP authenticates users using a directory server, such as MS Active Directory, OpenLDAP, or OpenDJ.

To use LDAP to authenticate users, select LDAP from the DAS User Authentication field in Cloudera Manager, and complete the rest of the configuration by entering details in the following fields:
  • LDAP URL: Specify the LDAP URL to use for authentication.
  • LDAP GUID Key: Specify the LDAP attribute name whose values are unique on this LDAP server. For example: uid or CN.
  • LDAP Group Class Key: Specify the LDAP objectClass that each of the groups implements in LDAP. For example: objectClass: group.
  • LDAP Group Membership Key: Specify the LDAP attribute name on the group object that contains the list of distinguished names for the user, group, and contact objects that are members of the group. For example: member, uniqueMember, or memberUid.
  • LDAP User Membership Key: Specify the LDAP attribute name on the user object that contains groups of which the user is a direct member, except for the primary group, which is represented by the primaryGroupId. For example: memberOf.
  • LDAP Basedn: Specify the base domain name.

  • LDAP User DN Pattern: Specify a pattern for the distinguishedName (DN) for all the users in the directory. This value could be a single DN if the LDAP user entities are co-located within a single root, or it could be a colon-separated list of all the DN patterns if the users are scattered across different trees or forests in the directory.

    Each DN pattern can contain a %s in it that will be substituted with the username (from the user filter) by the provider for user search queries.

    For example: For single DN, you can specify CN=%s,CN=Users,DC=apache,DC=org. For two DNs, you can specify CN=%s,OU=Users,DC=apache,DC=org:uid=%s,CN=UnixUsers,DC=apache,DC=org.

  • LDAP Group DN Pattern: Specify a pattern for the distinguishedName (DN) for all the groups in the directory. This value could be a single DN if the LDAP Group entities are co-located, or it could be a colon-separated list of all DN patterns if the groups are scattered across different trees.

    Each DN pattern can contain a %s in it that will be substituted with the group name (from the group filter) by the provider for group search queries.

    For example: For single DN, you can specify CN=%s,OU=Groups,DC=apache,DC=org. For two DNs, you can specify CN=%s,OU=Groups,DC=apache,DC=org:uid=%s,CN=Users,DC=apache,DC=org.

  • LDAP Custom Query: There are several LDAP implementations available for commercial use, with no standard set of attributes within each implementation. If any of the filters listed in this topic do not meet the requirements for some unforeseen reasons, then DAS can use a user-specified LDAP query string to run against the LDAP server. This configured query is expected to return a set of DNs that represent individual users. The returned result is then used to adjudicate a GRANT/DENY decision to the authenticating user. To support this configuration, this new configuration property has been introduced. For example: group1,group2.
  • LDAP Group Filter: Specify the group name filter that is to be enforced by the LDAPAtnProvider. You can specify the individual groups using a comma-separated list. The user MUST belong to one or more of these groups for the authentication request to succeed. For example: group1,group2.
  • LDAP User Filter: Specify a comma-separated list of all the usernames to whom you want to grant access. The Atn provider grants access to a user if the user is a part of this list, and denies access otherwise.
  • LDAP Domain: Specify the base domain name.