Cloudera Docs

Managing user groups using LDAP

Learn how to enable user group management using the Lightweight Directory Access Protocol (LDAP).

Edge Flow Manager can be configured to retrieve group assignments from LDAP. This implies that user groups can only be added or modified using LDAP, and user-group assignments can exclusively be managed through LDAP. However, you still retain the ability to assign policies to users and groups within Edge Flow Manager.

  1. Enable user group management by LDAP.
    To enable user group management using LDAP, set the following property in the efm.properties file:
    efm.security.user.auth.groups.manager=LDAP
  2. Configure LDAP integration.

    For a successful integration, make sure that the following properties are accurately configured.

    Basic properties:
    efm.security.ldap.url
    Enter a comma-separated list of LDAP server URLs (for example: ldap://<hostname>:<port>)
    efm.security.ldap.syncInterval
    Specify the duration of time between synchronizing users and groups (for example: 30 m). The minimum allowable value is 30 seconds and the default value is 30 minutes.
    efm.security.ldap.managerDn
    Provide the Distinguished Name (DN) of the manager used to bind to the LDAP server to search for users and groups.
    efm.security.ldap.managerPassword
    Enter the password of the manager used to bind to the LDAP server to search for users and groups.
    efm.security.ldap.authenticationStrategy
    Select an authentication strategy for connecting to the LDAP server.
    Possible values:
    • ANONYMOUS
    • SIMPLE
    • LDAPS
    • START_TLS
    efm.security.ldap.referralStrategy
    Select a strategy for handling LDAP referrals.
    Possible values:
    • FOLLOW (default value, automatically follow any referrals)
    • IGNORE (ignore referrals)
    • THROW (throw an error if a referral occurs)
    efm.security.ldap.connectTimeout
    Set the duration of the connection timeout. The default value is 10 seconds.
    efm.security.ldap.readTimeout
    Set the duration of the read timeout. The default value is 10 seconds.
    efm.security.ldap.pageSize
    Optionally, you can set the page size when retrieving users and groups. If not specified, no paging is performed.
    efm.security.ldap.groupMembershipCaseSensitive
    Indicate whether group membership decisions should be case-sensitive. The default value is false.

    TLS properties

    These properties are required when efm.security.ldap.authenticationStrategy is set to LDAPS or START_TLS.
    efm.security.ldap.tls.keyStore
    Specify the path to the keystore used when connecting to LDAP.
    efm.security.ldap.tls.keyStorePassword
    Set the password for the keystore used when connecting to LDAP.
    efm.security.ldap.tls.keyStoreType
    Define the type of the keystore used when connecting to LDAP. Possible values are BCFKS, PKCS12, or JKS.
    efm.security.ldap.tls.trustStore
    Provide the path to the truststore used when connecting to LDAP.
    efm.security.ldap.tls.trustStorePassword
    Set the password for the truststore used when connecting to LDAP.
    efm.security.ldap.tls.trustStoreType
    Specify the type of the truststore used when connecting to LDAP. Possible values are BCFKS, PKCS12, or JKS.
    efm.security.ldap.tls.tlsProtocol
    Select the protocol to use when establishing LDAP connections. Possible values are TLS, TLSv1_1, or TLSv1_2.
    efm.security.ldap.tls.shutdownGracefully
    Determine whether TLS should be shut down gracefully before the target context is closed. The default setting is false and applies exclusively to the START_TLS authentication strategy.

    Search properties

    Synchronizing users and groups is possible through user, group, or both user and group searches, depending on your LDAP scheme and configuration. However, it is essential to configure at least one of these properties to enable user and group synchronization.

    User search
    efm.security.ldap.user.searchBase
    Specify the base DN for searching users (for example: ou=users, o=efm).
    efm.security.ldap.user.objectClass
    Define the object class for identifying users (for example: person).
    efm.security.ldap.user.searchScope
    Set the search scope for searching users. Possible values are ONE_LEVEL, OBJECT, or SUBTREE.
    efm.security.ldap.user.searchFilter
    Apply a filter for searching users in the User Search Base (for example: (memberof=cn=team1,ou=groups,o=efm)).
    efm.security.ldap.user.identityAttribute
    Optionally, you can specify the attribute used to extract user identity (for example: cn). If not set, the entire DN is used.
    efm.security.ldap.user.groupNameAttribute
    Optionally, you can define the attribute used to establish group membership (for example: memberof). If not set, group memberships are calculated based on efm.security.ldap.group.memberAttribute. If set, the value of this property is the name of the attribute in the user LDAP entry that associates them with a group. The value of this user attribute could be a DN or group name for instance. The expected value is configured in efm.security.ldap.user.referencedGroupAttribute.
    efm.security.ldap.user.referencedGroupAttribute
    If not set, the value of the attribute defined in efm.security.ldap.user.groupNameAttribute is expected to be the full DN of the group. If set, this property defines the attribute of the group LDAP entry to which the value of the attribute defined in efm.security.ldap.user.groupNameAttribute refers (for example: name). The use of this property requires that efm.security.ldap.group.searchBase is also configured.
    Group search
    efm.security.ldap.group.searchBase
    Specify the base DN for group searches (for example: ou=users,o=efm).
    efm.security.ldap.group.objectClass
    Identify the object class for groups (for example: groupOfNames).
    efm.security.ldap.group.searchScope
    Define the search scope for group searches. Possible values are ONE_LEVEL, OBJECT, or SUBTREE.
    efm.security.ldap.group.searchFilter
    Optionally, you can filter for group searches against efm.security.ldap.group.searchBase.
    efm.security.ldap.group.nameAttribute
    Optionally, you can extract group names using the specified attribute (for example: cn). If not set, the entire DN is used.
    efm.security.ldap.group.memberAttribute
    Optionally, you can specify an attribute for defining group membership (for example: member). If not set, group membership will not be calculated through the groups. Instead, it relies on group membership defined using efm.security.ldap.user.groupNameAttribute. If set, the value of this property is the name of the attribute in the group LDAP entry that associates users with groups. The value of this group attribute can be a DN or memberUid, depending on your configuration (for example: member: cn=User 1,ou=users,o=efm vs. memberUid: user1).
    efm.security.ldap.group.referencedUserAttribute
    If not set, the value of the attribute defined in efm.security.ldap.group.memberAttribute is expected to be the full DN of the user. If set, this property defines the attribute of the user LDAP entry referenced by efm.security.ldap.group.memberAttribute (for example: uid). Using this property requires that efm.security.ldap.user.searchBase is also configured (for example: member: cn=User 1,ou=users,o=efm vs. memberUid: user1).