LDAP properties

These are the properties you can use to configure LDAP for Hue in Cloudera Manager or in the hue.ini file for unmanaged clusters.

Property Name Description and Syntax
General Hue LDAP Properties
Authentication Backend

backend

Authentication Mode. Select desktop.auth.backend.LdapBackend.

Multiple backends are allowed. Create a list and add it to the Hue safety-valve.

LDAP URL

ldap_url

URL for the LDAP server.

Syntax: ldaps://<ldap_server>:<636> or ldap://<ldap_server>:<389>

Important: To prevent usernames and passwords from transmitting in the clear, use ldaps:// or ldap:// + "Enable LDAP TLS".

Create LDAP users on login

create_users_on_login

Flag to create new LDAP users at Hue login.

If true, any user who logs into Hue is automatically created. If false, only users that exist in useradmin can log in.

Direct Bind Properties
Active Directory Domain

nt_domain

For direct binding with Microsoft Active Directory only. Typically maps to the user email address or ID in conjunction with the domain. Allows Hue to authenticate without having to follow LDAP references to other partitions. Hue binds with User-Principal-Name (UPN) if provided.

Example: ad.<mycompany>.com

Important: Do not use nt_domain when binding with a username pattern or if using search bind.
LDAP Username Pattern

ldap_username_pattern

For direct binding with LDAP (non-Active Directory) only (because AD uses UPNs which have a space in them).

Username Pattern finds the user attempting to login into LDAP by adding the username to a predefined DN string. Use <username> to reference the user logging in. An example is "uid=<username>,ou=people,dc=mycompany,dc=com".

Search Bind Properties
Use Search Bind Authentication

search_bind_authentication

Flag to enable/disable search binding.
LDAP Search Base

base_dn

Distinguished name to use as a search base for finding users and groups.

Syntax: dc=ad, dc=sec, dc=mycompany,dc=com

Encryption Properties
LDAP Server CA Certificate

ldap_cert

Full path to .pem file with Certificate Authority (CA) chain used to sign the LDAP server certificate.

If left blank, all certificates are trusted and otherwise encrypted usernames and passwords are vulnerable to attack.

Enable LDAP TLS

use_start_tls

Flag to enable/disable encryption with the StartTLS operation.
Import / Sync Properties
LDAP Bind User Distinguished Name

bind_dn

Bind user. Only use if LDAP/AD does not support anonymous binds. (Typically, LDAP supports anonymous binds and AD does not.) Bind User differs per auth type:

  • Search Bind: username@domain
  • Direct Bind with NT Domain: username
  • Direct Bind with Username Pattern: DN string (and same as LDAP Username Pattern)
LDAP Bind Password

bind_password

Bind user password.
Filter Properties
LDAP User Filter

user_filter

General LDAP text search filter to restrict search of valid users. Only used by Search Bind authentication and LDAP Sync.

The default is objectclass=* but can differ. For example, some LDAP environments support Posix objects for *nix authentication and the user filter might need to be objectclass=posixAccount.

LDAP Username Attribute

user_name_attr

Username to search against (the attribute in LDAP that contains the username).

Typical attributes include sAMAccountName (default for AD/LDAP) and uid (LDAP default).

Maintain case sensitivity when setting attributes for AD/LDAP.

LDAP Group Filter

group_filter

General LDAP text search filter to restrict search of valid groups. Only used by LDAP Sync (not authentication). If left blank, no filtering is used and all groups in LDAP are synced.

The default is objectclass=* but can differ. For example, some LDAP environments support Posix objects for *nix authentication and the user filter might need to be objectclass=posixGroup.

LDAP Group Name Attribute

group_name_attr

Group name to search against (the attribute in LDAP that contains the groupname).

If left blank, the default is "cn" (common name), that typically works with AD/LDAP.

Maintain case sensitivity when setting attributes for AD/LDAP.

LDAP Group Membership Attribute

group_member_attr

Attribute in the group that contains DNs of all the members.(Optional) -

If left blank, the default is "memberOf" or "member", that typically works with Active Directory/LDAP.

Test Properties
LDAP Username for Test LDAP Configuration

test_ldap_user

Any user (ideally with low privileges) used to verify the LDAP configuration.
LDAP Group Name for Test LDAP Configuration

test_ldap_group

Any group (and not necessarily one that includes the test user) used to verify the LDAP configuration.