Authenticating users with LDAP

Configuring Hue for Lightweight Directory Access Protocol (LDAP) enables you to import users and groups from a directory service, synchronize group membership manually or automatically at login, and authenticate with an LDAP server.

Hue supports Microsoft Active Directory (AD) and open standard LDAP such as OpenLDAP and Forgerock OpenDJ Directory Services.

There are two ways to bind Hue with an LDAP directory service:

  • Search Bind: Hue searches for user credentials with search base (and attribute and filter).
  • Direct Bind: Hue authenticates (without searching) in one of two ways:
    • NT Domain: Bind to Microsoft Active Directory with username@domain (the UPN)or
    • Username Pattern: Bind to open standard LDAP with full path of directory information tree (DIT).

Encryption: To prevent credentials from transmitting in the clear, encrypt with LDAP over SSL, using the LDAPS protocol on the LDAPS port, which uses port 636 by default. An alternative, is to encrypt with the StartTLS operation using the standard LDAP protocol, which uses port 389 by default. Cloudera recommends LDAPS. You must have a CA Certificate in either case.

Table 1. Hue Supported LDAP Authentication and Encryption Methods
LDAP Auth Action Encrypted (LDAPS) Encrypted (LDAP+TLS) Not Encrypted (LDAP)
Direct Bind - NT Domain AD AD AD
Direct Bind - User Pattern LDAP LDAP LDAP


To authenticate Hue users with LDAP, you must have:
  • LDAP server
  • Bind account (or support for anonymous binds)
  • Cloudera Manager account with Full Administrator permissions
  • [optional] LDAP server with LDAPS or StartTLS encryption.