Securing HuePDF version

Authenticating Hue users with LDAP

Configuring Hue for Lightweight Directory Access Protocol (LDAP) enables you to import users and groups from a directory service, synchronize group membership manually or automatically at login, and authenticate with an LDAP server.

Hue supports Microsoft Active Directory (AD) and open standard LDAP such as OpenLDAP and Forgerock OpenDJ Directory Services.

When Hue is integrated with LDAP, users can use their existing credentials to authenticate and inherit their existing groups transparently. There is no need to save or duplicate any employee password in Hue.

When authenticating using LDAP, Hue validates login credentials against an LDAP directory service if Hue is configured with the LDAP authentication backend (desktop.auth.backend.LdapBackend) in Cloudera Manager.

The LDAP authentication backend automatically creates users that do not exist in Hue by default. Hue needs to import users to properly perform the authentication. Passwords are never imported when importing users. You can disable automatic import of users by setting the create_users_on_login property in the Cloudera Manager > Clusters > Hue service > Configuration > Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini field to false.
[desktop] 
[[ldap]] 
create_users_on_login=false

The purpose of disabling the automatic import is to allow only a predefined list of manually imported users to login.

There are two ways to bind Hue with an LDAP directory service:

Search Bind
The search bind mechanism for authenticating will perform an ldapsearch against the directory service and bind using the found distinguished name (DN) and password provided. This is the default method of authentication used by Hue with LDAP.
You can restrict the search process by configuring the following two properties under the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini [desktop] > [[ldap]] > [[[users]]] section.
Property Description
user_filter General LDAP filter to restrict the search. Default: "objectclass=*"
user_name_attr The attribute that will be considered the username to be searched against. Typical attributes to search for include: uid, sAMAccountName. Default: sAMAccountName
With the above configuration, the LDAP search filter takes the following form:
(&(objectClass=*)(sAMAccountName=[***USERNAME-ENTERED-BY-USER***]))
Direct Bind
The direct bind mechanism for authenticating binds to the LDAP server using the username and password provided at login.
Hue authenticates (without searching) in one of two ways:
  • NT Domain (nt_domain): (Only for use with Microsoft Active Directory) Hue binds to the AD with username@domain using the User Principal Names (UPN) to bind to the LDAP service. This AD-specific property allows Hue to authenticate with AD without having to follow LDAP references to other partitions. This typically maps to the email address of the user or the user's ID in conjunction with the domain. Default: mycompany.com.
  • Username Pattern (ldap_username_pattern): Bind to open standard LDAP with full path of directory information tree (DIT). It provides a template for the DN that is ultimately sent to the directory service when authenticating. The [***USERNAME***] parameter is replaced with the username provided at login.
    Default:
    "uid=[***USERNAME***],ou=People,dc=mycompany,dc=com"

To prevent credentials from transmitting in the clear, encrypt with LDAP over SSL, using the LDAPS protocol on the LDAPS port, which uses port 636 by default. An alternative, is to encrypt with the StartTLS operation using the standard LDAP protocol, which uses port 389 by default. Cloudera recommends LDAPS. You must have a CA Certificate in either case.

Table 1. Hue Supported LDAP authentication and encryption methods
LDAP Auth Action Encrypted (LDAPS) Encrypted (LDAP+TLS) Not Encrypted (LDAP)
Search Bind AD, LDAP AD, LDAP AD, LDAP
Direct Bind - NT Domain AD AD AD
Direct Bind - User Pattern LDAP LDAP LDAP
To authenticate Hue users with LDAP, you must have:
  • LDAP server
  • Bind account (or support for anonymous binds)
  • Cloudera Manager access with Full Administrator permissions
  • [optional] LDAP server with LDAPS or StartTLS encryption.