Cloudera Docs

LDAP Group Settings

In addition to the general LDAP settings, you can use the following group settings to restrict the access to Cloudera Data Science Workbench to certain groups in LDAP. This will sync an LDAP group with a team to easily manage the membership for that team.

  • LDAP Group Search Base: The base distinguished name (DN) where Cloudera Data Science Workbench will search for groups.

  • LDAP Group Search Filter: The LDAP filter that Cloudera Data Science Workbench will use to determine whether a user is affiliated to a group.

    A group object in LDAP or Active Directory typically has one or more member attributes that stores the DNs of users in the group. If LDAP Group Search Filter is set to member={0}, Cloudera Data Science Workbench will automatically substitute the {0} placeholder for the DN of the authenticated user.

  • LDAP User DN attribute override: The LDAP user object in the Active directory or LDAP services typically uses the DN attribute that contains the distinguished names for the user. Because this attribute sometimes differs, you might need to override it with a custom value (for example, memberUid).

  • LDAP User Groups: A list of LDAP groups whose users have access to Cloudera Data Science Workbench. When this property is set, only users that successfully authenticate themselves AND are affiliated to at least one of the groups listed here, will be able to access Cloudera Data Science Workbench.

    If this property is left empty, all users that can successfully authenticate themselves to LDAP will be able to access Cloudera Data Science Workbench.

  • LDAP Business Groups: Provides a list of case insensitive LDAP group names(CN). If this list is provided, only users that are members of at least one of the groups in the list will be allowed to log into Cloudera Machine Learning as Business User. If this property is left empty, no LDAP users will be able to log into Cloudera Machine Learning as Business User. For example, if there is a group called CN=CDSWBusinessUsers,OU=Groups,DC=company,DC=com, add the group name (CN) CDSWBusinessUsers to the LDAP User Groups list to allow members of that group to log in to Cloudera Machine Learning as Business User.

  • LDAP Full Administrator Groups: A list of LDAP groups whose users are automatically granted the site administrator role on Cloudera Data Science Workbench.

    When the LDAP Full Administrator Groups field is used, only users that belong to at least one group specified in the LDAP Full Administrator Groups are granted Admin privilege upon successful login. This means that you cannot manually grant users Admin permissions if they are not part of one of the groups listed in LDAP Full Administrator Groups. If you do, their Admin access will be revoked when CDSW syncs with the LDAP server.

    The groups listed under LDAP Full Administrator Groups do not need to be listed again under the LDAP User Groups property.

    Figure 1. Example

    If you want to restrict access to Cloudera Data Science Workbench to members of a group whose DN is:

    CN=CDSWUsers,OU=Groups,DC=company,DC=com
    And automatically grant site administrator privileges to members of a group whose DN is:
    CN=CDSWAdmins,OU=Groups,DC=company,DC=com
    Add the CNs of both groups to the following settings in Cloudera Data Science Workbench:
    • LDAP User Groups: CDSWUsers
    • LDAP Full Administrator Groups: CDSWAdmins