Configuring Cloudera Navigator for Active Directory
When users login using the Active Directory external authentication type, Navigator creates a principal name from the user login to search for the user's LDAP object. Navigator creates a user principal name by prepending the login username with @ and the configured value for the Active Directory domain. If your users' principal names differ in format from their login names, you should use the LDAP authentication type to configure a more flexible model for searching LDAP. For example, if user principal names have the form email@example.com but the user login name is jdoe, authentication will fail in the Active Directory configuration. See Configuring Cloudera Navigator for LDAP.
To configure Cloudera Navigator for external authentication with Active Directory:
- Log in to Cloudera Manager Admin Console.
- Select Clusters > Cloudera Management Service.
- Click the Configuration tab.
- Select Navigator Metadata Server for the Scope filter.
- Select External Authentication for the Category filter.
- Leave the Authentication Backend Order set to the default value—Cloudera Manager Only until after the external system has been successfully configured for Cloudera Navigator (as detailed in these steps) and user accounts in Active Directory instance are members of groups that
have been granted Cloudera Navigator user role privileges. When Cloudera Navigator receives a login request, it checks user repositories in the order specified. Checking only the external system
before having user accounts and roles configured can result in authentication failures.
- If user accounts and groups for Cloudera Navigator already exist in the Active Directory and a group with privileges for Cloudera Manager Full Administrator or Navigator Administrator user roles contains user accounts—so that the system can be managed—the order can be set to External then Cloudera Manager or External Only.
- Configure the remaining settings for the Active Directory instance as detailed in the table.
Property Description and usage note External Authentication Type Active Directory LDAP URL Full path to the Active Directory instance, including the protocol specifier, ldap or ldaps (for TLS/SSL). Not necessary to specify port number if the Active Directory service is hosted using the default ports—389 (LDAP), 636 (LDAPS). For example:
LDAP Bind User Distinguished Name The user name that connects to the Active Directory service to look up login requests on behalf of Cloudera Navigator. Enter either the complete user principal name or just the short name. For example, cn-admin@EXAMPLE.COM or cn-admin. For Active Directory, this distinguished name (DN) corresponds to the sAMAcountName. LDAP Bind Password Enter the password used to log in to the Active Directory instance using the DN specified for the bind user. Active Directory Domain The fully-qualified domain name of the Active Directory domain controller host system. This is the service to which the bind operation For example:
LDAP Distinguished Name Pattern Leave blank if LDAP User Search Base is set. LDAP User Search Base Specify the organizational unit (OU) and domain component (DC) properties for the LDAP search tree. For example:
LDAP User Search Filter Optional. LDAP Group Search Base
LDAP Group Search Filter For Logged In User Optional. LDAP Groups Search Filter
- Click Save Changes.
- Restart the Navigator Metadata Service:
- From Cloudera Management Service, click the Instances tab.
- Select Navigator Metadata Service from among the instances listed.
- Click the Actions for Selected button and select Restart.