Configuring LDAP authentication for CDP Private Cloud
You can configure LDAP user authentication for CDP Private Cloud from the Administration page of the Management Console.
- Sign in to the CDP console.
- Click Management Console.
- On the Management Console home page, select Administration>Authentication.
-
Configure the following settings for LDAP authentication:
Property Description Sample values LDAP URL The LDAP server URL. The URL must be prefixed with ldap:// or ldaps://. The URL can optionally specify a custom port, for example: ldaps://ldap_server.example.com:1636. ldap://<ldap-host>:389
orldaps://<ldap-host>:636
For Active Directory use:ldap://<AD Server>:3268 or ldaps://<AD Server>:3269
CA Certificate for Secure LDAP The X.509 PEM certificate to be used to access secure LDAP (URLs starting with ldaps://). Ensure that at least one valid certificate is provided. A typical CA certificate is structured as follows:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
If you add or update CA certificates and you have deployed the Cloudera Data Warehouse (CDW) service in your ECS cluster, you must refresh the affected Database Catalogs and Virtual Warehouses from the CDW UI. Go to the CDW UI, click on the more vertical menu on the Database Catalog or Virtual Warehouse and click Refresh. LDAP Bind DN The Distinguished Name of the user to bind to LDAP for user authentication search/bind and group lookup for role authorization. Distinguished Name (DN) example:
CN=cdh admin,OU=svcaccount,DC=example,DC=com
FreeIPA example:
uid=username,cn=users,cn=accounts,dc=example,dc=com
LDAP Bind Password The bind user password. LDAP User Search Base The distinguished name indicating the path within the directory information tree from which to begin user searches. AD example:
cn=users,dc=example,dc=com
LDAP example:
ou=people,dc=example,dc=com
FreeIPA example:
cn=accounts,dc=example,dc=com
LDAP User Search Filter The search filter to use for finding users. AD example:
(sAMAccountName={0})
LDAP example:
(uid={0})
Note that a custom attribute can also be used if the directory is configured differently for user names. The
{0}
expands the currently authenticating user's name entered in the login form for the query.FreeIPA example:
(&(uid={0})(objectClass=person))
LDAP Group Search Base The distinguished name indicating the path within the directory information tree to begin group searches from. cn=accounts,dc=example,dc=com
LDAP Group Search Filter The search filter to use for finding groups for authorization of authenticated users for their roles. You must configure this value such that only the groups associated with the user logging in are fetched from the IdP. There are two placeholders that can be used to match the groups of a user, {0) and {1}. {0} expands into the user DN and {1} expands into the username.
For Active Directory and openLDAP compatible directories this will usually be (member={0})
, where{0}
will be replaced by DN string for a successfully authenticated user through the search/bind process. This requires configuration of the LDAP Bind User Distinguished Name field.AD example:(member={0})
LDAP/FreeIPA example:(&(member={0})(objectClass=posixgroup)(!(cn=admins)))
Email Mapping Attribute The LDAP attribute to be used for mapping the email in Identity Management. If no value is provided, mail
is used as the default email mapping attribute.Email is a mandatory value in CDP. If no value is found for the email attribute, a value of
{userame}@cdp.example
is assumed for the user. -
Select Show Other Options and configure the following
setting:
Property Description Sample values Username Mapping Attribute The LDAP attribute to be used for mapping the userId in Identity Management. -
If required, select Show Other Options and configure the
following additional settings:
Property Description Sample values LDAP User Bind Property The property of the LDAP user object to use when binding to verify the password. This value should always be set to dn
.Groupname Mapping Attribute The LDAP attribute to be used for mapping the groupId in Identity Management. Group DN Property The property of user object to use in {{dn}}
interpolation of groupSearchFilter.This value should always be set to dn
.First Name Mapping Attribute The LDAP attribute to be used for mapping the first name attribute in Identity Management. Last Name Mapping Attribute The LDAP attribute to be used for mapping the last name attribute in Identity Management. -
Click Test Connection to verify whether the LDAP
information you have provided is valid.
Management Console attempts a connection with the LDAP source based on the information provided, and returns a confirmation message if the connection is successful.
- Click Save. The LDAP users are listed on the User Management page.