Configuring Hue for Lightweight Directory Access Protocol (LDAP) enables you to
import users and groups from a directory service,
synchronize group membership manually or automatically at login,
and authenticate with an LDAP server.
Hue supports Microsoft Active Directory (AD) and open standard LDAP such as OpenLDAP and
Forgerock OpenDJ Directory Services.
Integrating Hue with LDAP🔗
When Hue is integrated with LDAP, users can use their existing credentials to authenticate
and inherit their existing groups transparently. There is no need to save or duplicate any
employee password in Hue.
When authenticating using LDAP, Hue validates login credentials against an LDAP directory
service if Hue is configured with the LDAP authentication backend
(desktop.auth.backend.LdapBackend) in Cloudera Manager.
The LDAP authentication backend automatically creates users that do not exist in Hue by
default. Hue needs to import users to properly perform the authentication. Passwords are
never imported when importing users. You can disable automatic import of users by setting
the create_users_on_login property in the Cloudera Manager > Clusters > Hue service > Configuration > Hue Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini field to
false.
[desktop]
[[ldap]]
create_users_on_login=false
The purpose of disabling the automatic import is to allow only a predefined list of
manually imported users to login.
Binding Hue with LDAP🔗
There are two ways to bind Hue with an LDAP directory service:
Search Bind
The search bind mechanism for authenticating will perform an ldapsearch against the
directory service and bind using the found distinguished name (DN) and password
provided. This is the default method of authentication used by Hue with LDAP.
You can restrict the search process by configuring the following two properties under
the Hue Service Advanced Configuration Snippet (Safety Valve) for
hue_safety_valve.ini [desktop] > [[ldap]] > [[[users]]] section.
Property
Description
user_filter
General LDAP filter to restrict the search. Default:
"objectclass=*"
user_name_attr
The attribute that will be considered the username to be searched
against. Typical attributes to search for include: uid, sAMAccountName.
Default: sAMAccountName
With the above configuration, the LDAP search filter takes the following
form:
The direct bind mechanism for authenticating binds to the LDAP server using the
username and password provided at login.
Hue authenticates (without searching) in one of two ways:
NT Domain (nt_domain): (Only for use with Microsoft Active
Directory) Hue binds to the AD with username@domain using the User Principal Names
(UPN) to bind to the LDAP service. This AD-specific property allows Hue to
authenticate with AD without having to follow LDAP references to other partitions.
This typically maps to the email address of the user or the user's ID in conjunction
with the domain. Default: mycompany.com.
Username Pattern (ldap_username_pattern): Bind to open standard
LDAP with full path of directory information tree (DIT). It provides a template for
the DN that is ultimately sent to the directory service when authenticating. The
[***USERNAME***] parameter is replaced with the username provided
at login.
To prevent credentials from transmitting in the clear, encrypt with LDAP over SSL, using
the LDAPS protocol on the LDAPS port, which uses port 636 by default. An alternative, is to
encrypt with the StartTLS operation using the standard LDAP protocol, which uses port 389 by
default. Cloudera recommends LDAPS. You must have a CA Certificate in either case.
Table 1. Hue Supported LDAP authentication and encryption methods
LDAP Auth Action
Encrypted (LDAPS)
Encrypted (LDAP+TLS)
Not Encrypted (LDAP)
Search Bind
AD, LDAP
AD, LDAP
AD, LDAP
Direct Bind - NT Domain
AD
AD
AD
Direct Bind - User Pattern
LDAP
LDAP
LDAP
Prerequisites🔗
To authenticate Hue users with LDAP, you must have:
LDAP server
Bind account (or support for anonymous binds)
Cloudera Manager access with Full Administrator permissions
[optional] LDAP server with LDAPS or StartTLS encryption.