Cloudera Docs

Configure Ranger authentication for AD

How to configure Ranger to use Active Directory (AD) for user authentication.

  1. Select Cloudera Manager > Ranger > Configuration, type authentication in Search.
    Ranger authentication property settings display. You may need to scroll down to see the AD settings.


  2. Configure the following settings for AD authentication, then click Save Changes.
    Property Description Default value Sample values
    Admin Authentication Method The Ranger authentication method. UNIX ACTIVE_DIRECTORY

    Admin AD Auth Base DN

    ranger.ldap.ad.base.dn

    		The Distinguished Name (DN) of the starting point for directory server searches. N/A dc=example,dc=com

    Admin AD Auth Bind DN

    ranger.ldap.ad.bind.dn

    		 The full Distinguished Name (DN), including Common Name (CN) of an LDAP user account that has privileges to search for users. N/A cn=adadmin,cn=Users,dc=example,dc=com

    Admin AD Auth Bind Password

    ranger.ldap.ad.bind.password

    		 Password for the bind.dn. N/A Secret123!

    Admin AD Auth Domain Name

    ranger.ldap.ad.domain

    		 The domain name of the AD Authentication service. N/A example.com

    Admin AD Auth Referral

    ranger.ldap.ad.referral*

    		 See below. ignore follow | ignore | throw

    Admin AD Auth URL

    ranger.ldap.ad.url

    The AD server URL, for example:

    ldap://<AD-Servername>:Port

    		 N/A ldap://<AD-Servername>:Port

    Admin AD Auth User Search Filter

    ranger.ldap.ad.user.searchfilter

    		 AD user search filter. N/A
    * There are three possible values for ranger.ldap.ad.referral:
    • follow
    • throw
    • ignore
    The recommended setting is: follow.
    When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.
    When ranger.ldap.ad.referral is set to follow:
    The AD service provider processes all of the normal entries first, and then follows the continuation references.
    When ranger.ldap.ad.referral is set to throw:
    All of the normal entries are returned in the enumeration first, before theReferralException is thrown.
    By contrast, a referral error response is processed immediately when this property is set to follow or throw.
    When ranger.ldap.ad.referral is set to ignore:
    The server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of AD, a PartialResultException is returned when referrals are encountered while search results are processed.