Options for importing and syncing LDAP users and groups in Hue

Configuring Hue for Lightweight Directory Access Protocol (LDAP) enables you to import users and groups from a directory service, synchronize group membership manually or automatically at login, and authenticate users with LDAP.

There are four options to import and sync LDAP users and groups in Hue:
LDAP sync option Description
Add/Sync LDAP user Import and synchronize one user at a time
Sync LDAP users/groups Synchronize user memberships in all groups
Add/Sync LDAP group Import and synchronize all users in one group
sync_groups_on_login Automatically synchronize group membership at login
The following flowchart shows the process and the options to import and synchronize new users or groups in Hue:

Importing a group from LDAP creates a group in Hue. When you synchronize a group, Hue checks the user's group membership in LDAP and synchronizes it to the corresponding group in Hue. To synchronize an LDAP group with Hue, the group must be imported in the Hue database.

For example, if a user belongs to 10 LDAP groups, but only 5 groups are present in Hue, then only these 5 groups are synced when new users are added to these groups. This mechanism helps to avoid including irrelevant group data in the Hue database.

If you have multiple LDAP groups that are synchronized with Hue, then you can automate the synchronization process by turning on the sync_groups_on_login option in the Hue Advanced Configuration Snippet. However, this process can be burdensome if you have a large number of users logging in and authenticating simultaneously or new users getting added to the LDAP group, as multiple synchronization requests are triggered which could cause collisions on database writes. An alternative approach is to synchronize users using the command line option, which you can script and automate as a cron job. To manually synchronize LDAP groups having the newly added users that need to be added to Hue, run the following command separately for each LDAP group:
$HUE_HOME/build/env/bin/hue import_ldap_group --import-members [***LDAP-GROUP-NAME***] --cm-managed