Search bind authentication executes ldapsearch
against one or more directory services and binds with the distinguished name
(DN) and password. Hue searches the subtree from the base distinguished name.
If the LDAP Username Attribute is set, Hue looks for an entry whose
attribute has the same value as the short name given at login.
important
Search binding works with all directory service
types. It is also the only method that allows synchronizing groups
at login (set with sync_groups_on_login
in a
safety-valve).
Video: Authenticate Hue with LDAP and Search
Bind
Figure 1. Video: Authenticate Hue
with LDAP and Search Bind
Log on to Cloudera Manager and click Hue .
Click the Configuration tab and filter by
scope=Service-wide and
category=Security .
Set the following required properties:
Authentication
Backend
desktop.auth.backend.LdapBackend
LDAP URL
ldaps://<ldap_server>:636 (or
ldap://<ldap_server>:389)
LDAP Server CA
Certificate
/path_to_certificate/cert.pem
LDAP Search Base
DC=mycompany,DC=com
LDAP Bind User Distinguished
Name
username@domain
LDAP Bind Password
bind_user_password
Use Search Bind
Authentication
TRUE
Enable LDAP TLS
FALSE if using LDAPS or not encrypting
Create LDAP users on
login
TRUE
note
To encrypt with TLS, set LDAP
URL to
ldap://<ldap_server>:389
and check
Enable LDAP TLS . For a proof of concept
without encryption, use
ldap://<ldap_server>:389
, remove the value
for LDAP Server CA Certificate, and uncheck Enable LDAP
TLS.
You can optionally improve search performance with attributes
and filters:
LDAP User Filter
objectclass=user (default = *)
LDAP Username
Attribute
sAMAccountName (AD default), uid (LDAP
default)
LDAP Group Filter
objectclass=group (default = *)
LDAP Group Name
Attribute
cn (default)
LDAP Group Membership
Attribute
member (default)
note
With the user settings in the table above, the LDAP
search filter has the form:
(&(objectClass=user)(sAMAccountName=<user
entered username>))
.
Add any valid user and/or valid group to quickly test your LDAP
configuration:
LDAP Username for Test LDAP
Configuration
Any valid user
LDAP Group Name for Test LDAP
Configuration
Any valid group
Click Save Changes .
Test your LDAP configuration, and when successful click Restart
Hue .
You can test
ldapsearch
at the command line as follows:
LDAPTLS_CACERT=/<path_to_cert>/<ca_certificate> ldapsearch -H ldaps://<ldap_server>:636 \
-D "<bind_dn>" -w <bind_password> -b <base_dn> "samaccountname=<user>"
note
To run ldapsearch
with a CA certificate, you
may need to install ldap_utils
on Debian/Ubuntu and
openldap-clients
on RHEL/CentOS.