How Login Works with LDAP Group Settings Enabled
With LDAP Group settings enabled, the login process in Cloudera Data Science Workbench works as follows.
-
Authentication with LDAP
When an unauthenticated user first accesses Cloudera Data Science Workbench, they are sent to the login page where they can login by providing a username and password.
Cloudera Data Science Workbench will search for the user by binding to the LDAP Bind DN and verify the username/password credentials provided by the user.
-
Authorization Check for Access to Cloudera Data Science Workbench
If the user is authenticated successfully, Cloudera Data Science Workbench will then use the LDAP Group Search Filter to search for all groups the user is affiliated to, in the DN provided by LDAP Group Search Base.
The list of LDAP groups the user belongs to is then compared to the pre-authorized lists of groups specified in the LDAP User Groups and LDAP Full Administrator Groups properties.
If there is a match with a group listed under LDAP User Groups, this user will be allowed to access Cloudera Data Science Workbench as a regular user.
If there is a match with a group listed under LDAP Full Administrator Groups, this user will be allowed to access Cloudera Data Science Workbench as a site administrator.