Configuring LDAP authentication for CDP Private Cloud

You can configure LDAP user authentication for CDP Private Cloud from the Administration page of the Management Console.

If you intend to use Hue as your SQL editor in CDW, you must use LDAP over SSL.
  1. Sign in to the CDP console.
  2. Click Management Console.
  3. On the Management Console home page, select Administration>Authentication.
  4. Configure the following settings for LDAP authentication:
    Property Description Sample values
    LDAP URL The LDAP server URL. The URL must be prefixed with ldap:// or ldaps://. The URL can optionally specify a custom port, for example: ldaps://ldap_server.example.com:1636. ldap://<ldap-host>:389 or ldaps://<ldap-host>:636
    CA Certificate for Secure LDAP

    The X.509 PEM certificate to be used to access secure LDAP (URLs starting with ldaps://). Ensure that at least one valid certificate is provided. A typical CA certificate is structured as follows:

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE----- 
    If you add or update CA certificates and you have deployed the Cloudera Data Warehouse (CDW) service in your ECS cluster, you must refresh the affected Database Catalogs and Virtual Warehouses from the CDW UI. Go to the CDW UI, click on the more vertical menu on the Database Catalog or Virtual Warehouse and click Refresh.
    LDAP Bind DN The Distinguished Name of the user to bind to LDAP for user authentication search/bind and group lookup for role authorization.

    Distinguished Name (DN) example:

    CN=cdh admin,OU=svcaccount,DC=example,DC=com

    FreeIPA example:

    uid=username,cn=users,cn=accounts,dc=example,dc=com

    LDAP Bind Password The bind user password.
    LDAP User Search Base The distinguished name indicating the path within the directory information tree from which to begin user searches.

    AD example:

    cn=users,dc=example,dc=com

    LDAP example:

    ou=people,dc=example,dc=com

    FreeIPA example:

    cn=accounts,dc=example,dc=com

    LDAP User Search Filter The search filter to use for finding users.

    AD example:

    (sAMAccountName={0})

    LDAP example:

    (uid={0})

    Note that a custom attribute can also be used if the directory is configured differently for user names. The {0} expands the currently authenticating user's name entered in the login form for the query.

    FreeIPA example:

    (&(uid={0})(objectClass=person))
    LDAP Group Search Base The distinguished name indicating the path within the directory information tree to begin group searches from.

    cn=accounts,dc=example,dc=com

    LDAP Group Search Filter The search filter to use for finding groups for authorization of authenticated users for their roles. You must configure this value such that only the groups associated with the user logging in are fetched from the IdP.

    There are two placeholders that can be used to match the groups of a user, {0) and {1}. {0} expands into the user DN and {1} expands into the username.

    For Active Directory and openLDAP compatible directories this will usually be (member={0}), where {0} will be replaced by DN string for a successfully authenticated user through the search/bind process. This requires configuration of the LDAP Bind User Distinguished Name field.
    AD example:
    (member={0})
    LDAP/FreeIPA examples:
    &(member={0})(objectClass=groupOfNames)
    &(memberUid={1})(objectClass=posixGroup)
    Email Mapping Attribute The LDAP attribute to be used for mapping the email in Identity Management. If no value is provided, mail is used as the default email mapping attribute.

    Email is a mandatory value in CDP. If no value is found for the email attribute, a value of {userame}@cdp.example is assumed for the user.

  5. If required, select Show Other Options and configure the following additional settings:
    Property Description Sample values
    LDAP User Bind Property The property of the LDAP user object to use when binding to verify the password. This value should always be set to dn.
    Username Mapping Attribute The LDAP attribute to be used for mapping the userId in Identity Management. If no value is provided, dn is used as the default username mapping attribute.
    Groupname Mapping Attribute The LDAP attribute to be used for mapping the groupId in Identity Management.
    Group DN Property The property of user object to use in {{dn}} interpolation of groupSearchFilter. This value should always be set to dn.
    First Name Mapping Attribute The LDAP attribute to be used for mapping the first name attribute in Identity Management.
    Last Name Mapping Attribute The LDAP attribute to be used for mapping the last name attribute in Identity Management.
  6. Click Test Connection to verify whether the LDAP information you have provided is valid.
    Management Console attempts a connection with the LDAP source based on the information provided, and returns a confirmation message if the connection is successful.
  7. Click Save. The LDAP users are listed on the User Management page.