Enabling LDAP authentication

Cloudera Data Visualization by default uses local account (basic) authentication, where users must be created manually through the UI using the default admin user. This authentication method can be supplemented to also enable LDAP authentication so that corporate credentials can be used to login to Cloudera Machine Learning (CML) Data Visualization.

Prepare your installation by collecting the values of the following LDAP configuration parameters:


Configuration Item	Description
`AUTH_LDAP_SERVER_URI`	LDAP server URI, for example: ldap://ldap.example.com
`AUTH_LDAP_BIND_DN`	Username Distinguished Name (DN) of the bind user account. This needs to be the full DN for the Bind User, not just the bind username.
`AUTH_LDAP_BIND_PASSWORD`	Password of the bind user account
`AUTH_LDAP_USER_SEARCH`	The DN of the subtree that contains users, often an Organizational Unit (OU)
`AUTH_LDAP_GROUP_SEARCH`	The DN of the subtree that contains groups, often an OU
`AUTH_LDAP_REQUIRE_GROUP`	The DN of a group to which users must belong to have login privileges
`LDAP Group for Admins`	The DN of the Admins group. Users in this group have admin access.

LDAP can be configured for non-public applications, but it may lead to a double-login scenario, so consider using public applications that can be accessed by unauthenticated users. For more information on public applications in CML, see Securing Applications.

For more information on how you can configure Cloudera Data Visualization security and authentication settings, see Security and Authentication

Click the Gear icon on the main navigation bar to open the Administration menu and select Site Settings.

Select Advanced Settings from the left navigation.

You can configure LDAP authentication using one of the following options:

Option Description

Option 1: Configuring LDAP authentication with a bind user

Option	Description
Option 1: Configuring LDAP authentication with a bind user	Bind User authentication with LDAP offers more flexiblity for users and group lookups, allowing you to map users in ML Data Viz to roles automatically. This means that when these users log in, they are granted access to specific dashboards and datasets based on their assigned roles. Note that additional steps in the ML Data Viz Roles setup section are required to achieve this functionality. Implementing Bind User authentication requires you to request and maintain a Bind User. While this setup may take a bit more time initially, it offers enhanced flexibility. With Bind User authentication, you may need to periodically update the Bind User password since it is likely to expire over time. This is a code snippet illustrating a simple search/bind approach that completes an anonymous bind, searches the OU for an object that matches the UID of the user’s name, and attempts to bind using the DN obtained from the search and the user’s password. The authentication succeeds only if the search returns exactly one result. If anonymous search is not possible, set the `AUTH_LDAP_BIND_DN` to the DN of an authorized user, and `AUTH_LDAP_BIND_PASSWORD` to the password for authentication. `import ldap from django_auth_ldap.config import LDAPSearch AUTH_LDAP_BIND_DN = "" AUTH_LDAP_BIND_PASSWORD = "" AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")`
Option 2: Direct Bind Approach	Direct Bind explicitly passes the user’s credentials to authenticate with the LDAP server. This method does not require a Bind User account, but does not support group lookups for logged-in users. So you cannot configure automatic User-Role mapping using this method. This is a code snippet illustrating a simple direct bind approach: `AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"`

Bind User authentication with LDAP offers more flexiblity for users and group lookups, allowing you to map users in ML Data Viz to roles automatically. This means that when these users log in, they are granted access to specific dashboards and datasets based on their assigned roles. Note that additional steps in the ML Data Viz Roles setup section are required to achieve this functionality.

Implementing Bind User authentication requires you to request and maintain a Bind User. While this setup may take a bit more time initially, it offers enhanced flexibility.

With Bind User authentication, you may need to periodically update the Bind User password since it is likely to expire over time.

This is a code snippet illustrating a simple search/bind approach that completes an anonymous bind, searches the OU for an object that matches the UID of the user’s name, and attempts to bind using the DN obtained from the search and the user’s password. The authentication succeeds only if the search returns exactly one result. If anonymous search is not possible, set the AUTH_LDAP_BIND_DN to the DN of an authorized user, and AUTH_LDAP_BIND_PASSWORD to the password for authentication.


import ldap
from django_auth_ldap.config import LDAPSearch
                                
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")

Option 2: Direct Bind Approach

Direct Bind explicitly passes the user’s credentials to authenticate with the LDAP server. This method does not require a Bind User account, but does not support group lookups for logged-in users. So you cannot configure automatic User-Role mapping using this method.

This is a code snippet illustrating a simple direct bind approach:


AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"

Example: Bind User with Environmental Variables

Store LDAP_DN and LDAP_PASSWORD environmental variables in the Project Settings under the Engine tab for easier management.


import ldap
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType, ActiveDirectoryGroupType
                
# Connection options
#AUTH_LDAP_START_TLS = True  # Optional for LDAPS but normally not needed
AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com:389"
                
# Bind user setup
AUTH_LDAP_BIND_DN = os.getenv('LDAP_DN')
AUTH_LDAP_BIND_PASSWORD = os.getenv('LDAP_PASSWORD')
                
# Required Group for all users to access application
#AUTH_LDAP_REQUIRE_GROUP = "CN=All_Staff_WW,OU=Groups,DC=example,DC=local"
                
# Group for specifying super admins
#AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#  "is_superuser": ["CN=cloud_spend_analysts,OU=Groups,DC=example,DC=local"]
#}
                
# User and group search objects and types
AUTH_LDAP_USER_SEARCH = LDAPSearch("CN=users,DC=example,DC=local", ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)")                 
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=Groups,DC=example,DC=local", ldap.SCOPE_SUBTREE,"(objectClass=group)")
                
# Map LDAP attributes to Django
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
                
# Cache settings
# Note this may cause a delay when groups are changed in LDAP
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600*4  # Cache for 4 hours
REMOTE_GROUP_CACHE_TIMEOUT = 3600*4
                
# Group Settings
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = False
                
# Some optional TLS/SSL options when enabling LDAPS
                
#AUTH_LDAP_GLOBAL_OPTIONS = {
#ldap.OPT_X_TLS_CACERTFILE: "/etc/bla.cert",        # Point to CA Cert file
#ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, # Disable cert checking
#}
                
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 1,  # 0 to 255
ldap.OPT_REFERRALS: 0,  # For Active Directory
}
                
# If there is no Bind User you can use these settings, but it's not the preferred way

#AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
#AUTH_LDAP_USER_DN_TEMPLATE = "example\%(user)s"
                
# The backend needed to make this work.
AUTHENTICATION_BACKENDS = (
'arcweb.arcwebbase.basebackends.VizBaseLDAPBackend',
'django.contrib.auth.backends.ModelBackend'
)

Example: Direct Bind Configuration


import ldap
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType, ActiveDirectoryGroupType
                
# Connection options
#AUTH_LDAP_START_TLS = True  # Optional for LDAPS but normally not needed
AUTH_LDAP_SERVER_URI = "ldap://ldap.example.com:389"
                
# Bind user setup
#AUTH_LDAP_BIND_DN = os.getenv('LDAP_DN')
#AUTH_LDAP_BIND_PASSWORD = os.getenv('LDAP_PASSWORD')
                
# Required Group for all users to access application
#AUTH_LDAP_REQUIRE_GROUP = "CN=All_Staff_WW,OU=Groups,DC=example,DC=local"
                
# Group for specifying super admins
#AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#  "is_superuser": ["CN=cloud_spend_analysts,OU=Groups,DC=example,DC=local"]
#}
                
# User and group search objects and types
#AUTH_LDAP_USER_SEARCH = LDAPSearch("CN=users,DC=example,DC=local",
ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)")
                
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=Groups,DC=example,DC=local", ldap.SCOPE_SUBTREE,"(objectClass=group)")
                
# Map LDAP attributes to Django
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
                
# Cache settings
# Note this may cause a delay when groups are changed in LDAP
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600*4  # Cache for 4 hours
REMOTE_GROUP_CACHE_TIMEOUT = 3600*4
                
# Group Settings
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = False
                
# Some optional TLS/SSL options when enabling LDAPS
                
#AUTH_LDAP_GLOBAL_OPTIONS = {
#ldap.OPT_X_TLS_CACERTFILE: "/etc/bla.cert",        # Point to CA Cert file
#ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER, # Disable cert checking
#}
                
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_DEBUG_LEVEL: 1,  # 0 to 255
ldap.OPT_REFERRALS: 0,  # For Active Directory
}
                
# If there is no Bind User you can use these settings, but it's not the preferred way
                
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_USER_DN_TEMPLATE = "example\%(user)s"
                
# The backend needed to make this work.
AUTHENTICATION_BACKENDS = (
'arcweb.arcwebbase.basebackends.VizBaseLDAPBackend',
'django.contrib.auth.backends.ModelBackend'
)