Authenticating Hue users with LDAP
Configuring Hue for Lightweight Directory Access Protocol (LDAP) enables you to import users and groups from a directory service, synchronize group membership manually or automatically at login, and authenticate with an LDAP server.
Hue supports Microsoft Active Directory (AD) and open standard LDAP such as OpenLDAP and Forgerock OpenDJ Directory Services.
Integrating Hue with LDAP
When Hue is integrated with LDAP, users can use their existing credentials to authenticate and inherit their existing groups transparently. There is no need to save or duplicate any employee password in Hue.
When authenticating using LDAP, Hue validates login credentials against an LDAP directory service if Hue is configured with the LDAP authentication backend (desktop.auth.backend.LdapBackend) in Cloudera Manager.
create_users_on_loginproperty in the field to
[desktop] [[ldap]] create_users_on_login=false
The purpose of disabling the automatic import is to allow only a predefined list of manually imported users to login.
Preserving the case of the usernames
[desktop] [[auth]] ignore_username_case=true force_username_uppercase=true/false force_username_lowercase=true/false [[ldap]] ignore_username_case=true force_username_uppercase=true/false force_username_lowercase=true/false
Binding Hue with LDAP
There are two ways to bind Hue with an LDAP directory service:
- Search Bind
- The search bind mechanism for authenticating will perform an ldapsearch against the directory service and bind using the found distinguished name (DN) and password provided. This is the default method of authentication used by Hue with LDAP.
- You can restrict the search process by configuring the following two properties under
the Hue Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini [desktop] > [[ldap]] > [[[users]]] section.
General LDAP filter to restrict the search. Default:
The attribute that will be considered the username to be searched against. Typical attributes to search for include: uid, sAMAccountName. Default:
- With the above configuration, the LDAP search filter takes the following
- Direct Bind
- The direct bind mechanism for authenticating binds to the LDAP server using the username and password provided at login.
- Hue authenticates (without searching) in one of two ways:
- NT Domain (
nt_domain): (Only for use with Microsoft Active Directory) Hue binds to the AD with username@domain using the User Principal Names (UPN) to bind to the LDAP service. This AD-specific property allows Hue to authenticate with AD without having to follow LDAP references to other partitions. This typically maps to the email address of the user or the user's ID in conjunction with the domain. Default:
- Username Pattern (
ldap_username_pattern): Bind to open standard LDAP with full path of directory information tree (DIT). It provides a template for the DN that is ultimately sent to the directory service when authenticating. The
[***USERNAME***]parameter is replaced with the username provided at login.Default:
- NT Domain (
To prevent credentials from transmitting in the clear, encrypt with LDAP over SSL, using the LDAPS protocol on the LDAPS port, which uses port 636 by default. An alternative, is to encrypt with the StartTLS operation using the standard LDAP protocol, which uses port 389 by default. Cloudera recommends LDAPS. You must have a CA Certificate in either case.
|LDAP Auth Action||Encrypted (LDAPS)||Encrypted (LDAP+TLS)||Not Encrypted (LDAP)|
|Search Bind||AD, LDAP||AD, LDAP||AD, LDAP|
|Direct Bind - NT Domain||AD||AD||AD|
|Direct Bind - User Pattern||LDAP||LDAP||LDAP|
- LDAP server
- Bind account (or support for anonymous binds)
- Cloudera Manager access with Full Administrator permissions
- [optional] LDAP server with LDAPS or StartTLS encryption.