LDAP group settings

In addition to the general LDAP settings, you can use group settings to restrict the access to Cloudera AI to certain groups in LDAP.

LDAP Group Search Base: The base distinguished name (DN) where Cloudera AI will search for groups.
LDAP Group Search Filter: The LDAP filter that Cloudera AI will use to determine whether a user is affiliated to a group.

A group object in LDAP or Active Directory typically has one or more member attributes that stores the DNs of users in the group. If LDAP Group Search Filter is set to member={0}, Cloudera AI will automatically substitute the {0} placeholder for the DN of the authenticated user.
LDAP User Groups: A list of LDAP groups whose users have access to Cloudera AI. When this property is set, only users that successfully authenticate themselves AND are affiliated to at least one of the groups listed here, will be able to access Cloudera AI.

If this property is left empty, all users that can successfully authenticate themselves to LDAP will be able to access Cloudera AI.
LDAP Full Administrator Groups: A list of LDAP groups whose users are automatically granted the site administrator role on Cloudera AI.

The groups listed under LDAP Full Administrator Groups do not need to be listed again under the LDAP User Groups property.
Figure 1. Example

If you want to restrict access to Cloudera AI to members of a group whose DN is:
```
CN=MLUsers,OU=Groups,DC=company,DC=com
```
And automatically grant site administrator privileges to members of a group whose DN is:
```
CN=MLAdmins,OU=Groups,DC=company,DC=com
```
Add the CNs of both groups to the following settings in Cloudera AI:
- LDAP User Groups: MLUsers
- LDAP Full Administrator Groups: MLAdmins