Configuring authentication with LDAP and Search Bind

Search Bind authentication executes ldapsearch against one or more directory services and binds with the distinguished name (DN) and password. Hue searches the subtree from the base distinguished name. If the LDAP Username Attribute is set, Hue looks for an entry whose attribute has the same value as the short name given at login.

Video: Authenticate Hue with LDAP and Search Bind

Figure 1. Video: Authenticate Hue with LDAP and Search Bind

Log on to Cloudera Manager and click Hue.
Click the Configuration tab and filter by scope=Service-wide and category=Security.

Set the following required properties:


Authentication Backend	desktop.auth.backend.LdapBackend
LDAP URL	`ldaps://<ldap_server>:636` if using Secure LDAP `ldap://<ldap_server>:389` if not using encryption Note: If ldaps:// is specified in the LDAP URL, then do not set LDAP TLS.
Enable LDAP TLS	`TRUE` if not using Secure LDAP (LDAPS) but want to establish a secure connection using TLS `FALSE` if using LDAPS or not encrypting
LDAP Server CA Certificate	/path_to_certificate/cert.pem
LDAP Search Base	DC=mycompany,DC=com
LDAP Bind User Distinguished Name	username@domain
LDAP Bind Password	bind_user_password
Use Search Bind Authentication	TRUE
Create LDAP users on login	TRUE

You can optionally improve search performance with attributes and filters:


LDAP User Filter	objectclass=user (default = *)
LDAP Username Attribute	sAMAccountName (AD default), uid (LDAP default)
LDAP Group Filter	objectclass=group (default = *)
LDAP Group Name Attribute	cn (default)
LDAP Group Membership Attribute	member (default)

Add any valid user and/or valid group to quickly test your LDAP configuration:


LDAP Username for Test LDAP Configuration	Any valid user
LDAP Group Name for Test LDAP Configuration	Any valid group

Click Save Changes.
Test your LDAP configuration, and when successful click Restart Hue.
note
The syntax of Bind Distinguished Name differs per bind method:
- Search Bind: username@domain
- Direct Bind with NT Domain: username
- Direct Bind with Username Pattern: DN string (full DIT path)
Do not use if anonymous binding is supported.
You can test ldapsearch at the command line as follows:
```
LDAPTLS_CACERT=/<path_to_cert>/<ca_certificate> ldapsearch -H ldaps://<ldap_server>:636 \
-D "<bind_dn>" -w <bind_password> -b <base_dn> "samaccountname=<user>"
```
note
To run ldapsearch with a CA certificate, you may need to install ldap_utils on Debian/Ubuntu and openldap-clients on RHEL/CentOS.