Configuring authentication with LDAP and Search Bind

Search Bind authentication executes ldapsearch against one or more directory services and binds with the distinguished name (DN) and password. Hue searches the subtree from the base distinguished name. If the LDAP Username Attribute is set, Hue looks for an entry whose attribute has the same value as the short name given at login.

Video: Authenticate Hue with LDAP and Search Bind

Figure 1. Video: Authenticate Hue with LDAP and Search Bind
  1. Log on to Cloudera Manager and click Hue.
  2. Click the Configuration tab and filter by scope=Service-wide and category=Security.
  3. Set the following required properties:
    Authentication Backend desktop.auth.backend.LdapBackend
    LDAP URL
    • ldaps://<ldap_server>:636 if using Secure LDAP
    • ldap://<ldap_server>:389 if not using encryption

    Note: If ldaps:// is specified in the LDAP URL, then do not set LDAP TLS.

    Enable LDAP TLS
    • TRUE if not using Secure LDAP (LDAPS) but want to establish a secure connection using TLS
    • FALSE if using LDAPS or not encrypting
    LDAP Server CA Certificate /path_to_certificate/cert.pem
    LDAP Search Base DC=mycompany,DC=com
    LDAP Bind User Distinguished Name username@domain
    LDAP Bind Password bind_user_password
    Use Search Bind Authentication TRUE
    Create LDAP users on login TRUE
  4. You can optionally improve search performance with attributes and filters:
    LDAP User Filter objectclass=user (default = *)
    LDAP Username Attribute sAMAccountName (AD default), uid (LDAP default)
    LDAP Group Filter objectclass=group (default = *)
    LDAP Group Name Attribute cn (default)
    LDAP Group Membership Attribute member (default)
  5. Add any valid user and/or valid group to quickly test your LDAP configuration:
    LDAP Username for Test LDAP Configuration Any valid user
    LDAP Group Name for Test LDAP Configuration Any valid group
  6. Click Save Changes.
  7. Test your LDAP configuration, and when successful click Restart Hue.
    You can test ldapsearch at the command line as follows:
    LDAPTLS_CACERT=/<path_to_cert>/<ca_certificate> ldapsearch -H ldaps://<ldap_server>:636 \
    -D "<bind_dn>" -w <bind_password> -b <base_dn> "samaccountname=<user>"