Configure LDAP authentication for CDP Private Cloud

How to configure LDAP user authentication for CDP Private Cloud.

If you intend to use Hue as your SQL editor in CDW, you must use Active Directory LDAP over SSL.
  1. On the Management Console home page, select Administration > Authentication.
  2. Configure the following settings for LDAP authentication:
    Property Description Sample values

    LDAP URL

    The LDAP server URL. The URL must be prefixed with ldap:// or ldaps://. The URL can optionally specify a custom port, for example: ldaps://ldap_server.example.com:1636. Note that user names and passwords will be transmitted in the clear unless either an ldaps:// URL is used, or "Enable LDAP TLS" is turned on (where available). Also note that encryption must be in use between the client and this service for the same reason. ldap://<ldap-host>:389 or ldaps://<ldap-host>:636
    CA Certificate for Secure LDAP

    The X.509 PEM certificate to be used to access secure LDAP (URLs starting with ldaps://). Ensure that at least one valid certificate is provided. A typical CA certificate is structured as follows:

    ----BEGIN CERTIFICATE-----..-----END CERTIFICATE-----
    LDAP Bind DN The Distinguished Name of the user to bind to LDAP for user authentication search/bind and group lookup for role authorization. AD will accept a UPN value or the DN value as a valid Bind DN.

    Distinguished Name (DN) example:

    CN=cdh admin,OU=svcaccount,DC=example,DC=com

    UPN value example: cdhadmin@example.com

    LDAP Bind Password The bind user password.
    LDAP User Search Base The distinguished name indicating the path within the directory information tree from which to begin user searches.

    AD example:

    cn=users,dc=example,dc=com

    LDAP example:

    ou=people,dc=example,dc=com

    LDAP User Search Filter The search filter to use for finding users.

    AD example:

    (sAMAccountName={0})

    LDAP example:

    (uid={0})

    Note that a custom attribute can also be used if the directory is configured differently for user names. The {0} expands the currently authenticating user's name entered in the login form for the query.

    LDAP Group Search Filter The search filter to use for finding groups for authorization of authenticated users for their Cloudera Manager role. For Active Directory and openLDAP compatible directories this will usually be (member={0}), where {0} will be replaced by DN string for a successfully authenticated user through the search/bind process. This requires configuration of the LDAP Bind User Distinguished Name field.
    Email Mapping Attribute The LDAP attribute to be used for mapping the email in Identity Management. If no value is provided, mail is used as the default email mapping attribute.

    Email is a mandatory value in CDP. If no value is found for the email attribute, a value of {userame}@cdp.example is assumed for the user.

    LDAP User Bind Property The property of the LDAP user object to use when binding to verify the password. This value should always be set to dn.
    Username Mapping Attribute The LDAP attribute to be used for mapping the userId in Identity Management. If no value is provided, dn is used as the default username mapping attribute.
    Groupname Mapping Attribute The LDAP attribute to be used for mapping the groupId in Identity Management.
    Group DN Property The property of user object to use in {{dn}} interpolation of groupSearchFilter. This value should always be set to dn.
    First Name Mapping Attribute The LDAP attribute to be used for mapping the first name attribute in Identity Management.
    Last Name Mapping Attribute The LDAP attribute to be used for mapping the last name attribute in Identity Management.
  3. Click Save. The LDAP users are listed on the Users list on the User Management page.