Configuring authentication with LDAP and Search Bind
Search Bind authentication executes ldapsearch
against one or more
directory services and binds with the distinguished name (DN) and password. Hue searches the
subtree from the base distinguished name. If the LDAP Username Attribute is set, Hue looks for
an entry whose attribute has the same value as the short name given at login.
- Log on to Cloudera Manager and click Hue.
- Click the Configuration tab and filter by scope=Service-wide and category=Security.
-
Set the following required properties:
Authentication Backend desktop.auth.backend.LdapBackend LDAP URL ldaps://<ldap_server>:636
if using Secure LDAPldap://<ldap_server>:389
if not using encryption
Note: If ldaps:// is specified in the LDAP URL, then do not set LDAP TLS.
Enable LDAP TLS TRUE
if not using Secure LDAP (LDAPS) but want to establish a secure connection using TLSFALSE
if using LDAPS or not encrypting
LDAP Server CA Certificate /path_to_certificate/cert.pem LDAP Search Base DC=mycompany,DC=com LDAP Bind User Distinguished Name username@domain LDAP Bind Password bind_user_password Use Search Bind Authentication TRUE Create LDAP users on login TRUE -
You can optionally improve search performance with attributes
and filters:
LDAP User Filter objectclass=user (default = *) LDAP Username Attribute sAMAccountName (AD default), uid (LDAP default) LDAP Group Filter objectclass=group (default = *) LDAP Group Name Attribute cn (default) LDAP Group Membership Attribute member (default) -
Add any valid user and/or valid group to quickly test your LDAP
configuration:
LDAP Username for Test LDAP Configuration Any valid user LDAP Group Name for Test LDAP Configuration Any valid group - Click Save Changes.
-
Test your LDAP configuration, and when successful click Restart
Hue.
You can test
ldapsearch
at the command line as follows:LDAPTLS_CACERT=/<path_to_cert>/<ca_certificate> ldapsearch -H ldaps://<ldap_server>:636 \ -D "<bind_dn>" -w <bind_password> -b <base_dn> "samaccountname=<user>"