Authenticating users with LDAP
Configuring Hue for Lightweight Directory Access Protocol (LDAP) enables you to import users and groups from a directory service, synchronize group membership manually or automatically at login, and authenticate with an LDAP server.
Hue supports Microsoft Active Directory (AD) and open standard LDAP such as OpenLDAP and Forgerock OpenDJ Directory Services.
There are two ways to bind Hue with an LDAP directory service:
- Search Bind: Hue searches for user credentials with search base (and attribute and filter).
- Direct Bind: Hue authenticates (without searching) in one of
two ways:
- NT Domain: Bind to Microsoft Active Directory with username@domain (the UPN)or
- Username Pattern: Bind to open standard LDAP with full path of directory information tree (DIT).
Encryption: To prevent credentials from transmitting in the clear, encrypt with LDAP over SSL, using the LDAPS protocol on the LDAPS port, which uses port 636 by default. An alternative, is to encrypt with the StartTLS operation using the standard LDAP protocol, which uses port 389 by default. Cloudera recommends LDAPS. You must have a CA Certificate in either case.
| LDAP Auth Action | Encrypted (LDAPS) | Encrypted (LDAP+TLS) | Not Encrypted (LDAP) |
|---|---|---|---|
| Search Bind | AD, LDAP | AD, LDAP | AD, LDAP |
| Direct Bind - NT Domain | AD | AD | AD |
| Direct Bind - User Pattern | LDAP | LDAP | LDAP |
Prerequisites
- LDAP server
- Bind account (or support for anonymous binds)
- Cloudera Manager account with Full Administrator permissions
- [optional] LDAP server with LDAPS or StartTLS encryption.
