LDAP Group Settings

In addition to the general LDAP settings, you can use group settings to restrict the access to Cloudera Machine Learning to certain groups in LDAP.

  • LDAP Group Search Base: The base distinguished name (DN) where Cloudera Machine Learning will search for groups.

  • LDAP Group Search Filter: The LDAP filter that Cloudera Machine Learning will use to determine whether a user is affiliated to a group.

    A group object in LDAP or Active Directory typically has one or more member attributes that stores the DNs of users in the group. If LDAP Group Search Filter is set to member={0}, Cloudera Machine Learning will automatically substitute the {0} placeholder for the DN of the authenticated user.

  • LDAP User Groups: A list of LDAP groups whose users have access to Cloudera Machine Learning. When this property is set, only users that successfully authenticate themselves AND are affiliated to at least one of the groups listed here, will be able to access Cloudera Machine Learning.

    If this property is left empty, all users that can successfully authenticate themselves to LDAP will be able to access Cloudera Machine Learning.

  • LDAP Full Administrator Groups: A list of LDAP groups whose users are automatically granted the site administrator role on Cloudera Machine Learning.

    The groups listed under LDAP Full Administrator Groups do not need to be listed again under the LDAP User Groups property.

    Figure 1. Example

    If you want to restrict access to Cloudera Machine Learning to members of a group whose DN is:

    CN=CMLUsers,OU=Groups,DC=company,DC=com
    And automatically grant site administrator privileges to members of a group whose DN is:
    CN=CMLAdmins,OU=Groups,DC=company,DC=com
    Add the CNs of both groups to the following settings in Cloudera Machine Learning:
    • LDAP User Groups: CMLUsers
    • LDAP Full Administrator Groups: CMLAdmins