Configuring PAM authentication with LDAP and SSSD

You can configure PAM authentication with one or more Active Directory/LDAP servers using System Security Services Daemon (SSSD). SSSD is a system service that allows the Cloudera Manager Server host to access a remote LDAP directory or Active Directory domain.

For more information on SSSD, see Red Hat documentation.
  1. Configure SSSD on the Cloudera Manager server host. Run the following command to check if the remote user has been synchronized to the server host:
    id <remote_username>
  2. In Cloudera Manager, click Administration > Settings > External Authentication.
  3. Verify that the Authentication Backend Order property is not set to "Database Only."
  4. Verify that the Authorization Backend Order property is not set to "Database Only." If set to Database Only, the external group mapping will not work.
  5. Select PAM as the external authentication type.
  6. If you have a specific PAM configuration you wish to use for Cloudera Manager, modify the PAM Service Name property with that configuration's name (it should correspond to a file residing in /etc/pam.d/). Otherwise, use the default value, login.
  7. Save the changes.
  8. Add your group mapping roles. Click Administration > Users & Roles > LDAP/PAM Groups, then Add LDAP/PAM Group Mapping.
  9. When finished, restart the Cloudera Manager Server:
    sudo systemctl restart cloudera-scm-server