Configure Atlas authentication for LDAP

How to configure Atlas to use LDAP for user authentication.

The settings indicated in these steps apply to Atlas authentication and it is likely that the values will be the same as you use to configure other services on the cluster.

  1. In Cloudera Manager, select the Atlas service, then open the Configuration tab.
  2. To display the authentication settings, type "authentication" in the Search box. You may need to scroll down to see all of the LDAP settings.
  3. Configure the following settings for LDAP authentication:
    Grouping Property Description Sample values
    Enable LDAP Authentication Enable LDAP Authentication

    atlas.authentication.method.ldap

    Determines whether LDAP is used for authentication. true
    LDAP Authentication Type

    atlas.authentication.method.ldap.type

    The LDAP type (ldap, ad, or none). ldap
    LDAP Server Location LDAP Server URL

    atlas.authentication.method.ldap.url

    The LDAP server URL. ldap://localhost:389 or ldaps://localhost:636
    Bind Credentials LDAP Bind Username

    atlas.authentication.method.ldap.bind.dn

    Full distinguished name (DN), including common name (CN), of an LDAP user account that has privileges to query the LDAP database of user accounts on behalf of Atlas. This could be a read-only LDAP user. cn=admin,ou=people,dc=example,dc=com

    LDAP Bind DN Password

    atlas.authentication.method.ldap.bind.password

    Password for the account that can search for users. Secret123!
    Group Lookup LDAP Group-Search Base

    atlas.authentication.method.ldap.groupSearchBase

    The organizational unit (OU) and domain component (DC) properties for the LDAP search tree where Atlas searches for groups. (|(CN=Hdp_users)(CN=Hdp_admins))
    LDAP Group-Search Filter

    atlas.authentication.method.ldap.groupSearchFilter

    (Optional) Refine the scope of LDAP group search. The Groups-Search Filter is combined with the Group-Search Base to define the group lookup.
    Role Assignment LDAP Group-Role Attribute

    atlas.authentication.method.ldap.groupRoleAttribute

    The attribute stored in the LDAP Group object to use to map LDAP groups to Atlas roles. cn
    LDAP User Default Role

    atlas.authentication.method.ldap.default.role

    Atlas role to assign to LDAP users.
    LDAP Search-Bind Authentication Mode LDAP DN

    atlas.authentication.method.ldap.base.dn

    The Distinguished Name (DN) of the starting point of the LDAP search tree for directory server searches. You can also specify a User Search Filter to further reduce the scope of the search. dc=example,dc=com
    LDAP User Search Filter

    atlas.authentication.method.ldap.user.searchfilter

    The LDAP user search filter. Used with the User Search Base to further limit the scope of the search for a directory entry that matches the credentials of the user logging into Atlas.

    Use a user search filter along with a DN pattern so that the search filter provides a fallback if the DN pattern search fails.

    LDAP Direct-Bind Authentication Mode LDAP User DN Pattern

    atlas.authentication.method.ldap.userDNpattern

    Direct-bind authentication can be used if search is not required to determine the DN needed to bind to the LDAP server. Leave this property blank if LDAP DN is set.

    To use this authentication mode, all users must be under a single branch in the LDAP directory.

    To search for a distinguished name where the uid attribute is the username at login, you might provide a pattern such as:

    uid={0},ou=users,dc=xasecure,dc=net

    where {0} indicates the username of the authenticating user. If a user provides the username "foo" at the login page, Atlas searches for the DN:

    uid=foo,ou=People,dc=corp,dc=com

    LDAP Referral LDAP Referral

    atlas.authentication.method.ldap.referral*

    See below. Defaults to ignore. follow

    * There are three possible values for atlas.authentication.method.ldap.referral: follow, throw, and ignore. The recommended setting is follow.

    When searching a directory, the server might return several search results, along with a few continuation references that show where to obtain further results. These results and references might be interleaved at the protocol level.

    • When this property is set to follow, the LDAP service provider processes all of the normal entries first, and then follows the continuation references.

    • When this property is set to throw, all of the normal entries are returned in the enumeration first, before the ReferralException is thrown. By contrast, a "referral" error response is processed immediately when this property is set to follow or throw.

    • When this property is set to ignore, it indicates that the server should return referral entries as ordinary entries (or plain text). This might return partial results for the search. In the case of LDAP, a PartialResultException is returned when referrals are encountered while search results are processed.

  4. Click Save Changes.
  5. Restart the Atlas service.