Cloudera LDAP Integration

Post author:admin
Post published:March 5, 2020

Pre-requisite:
We need a service account or user who can search entire active directory, mostly this should be admin user. This is also known as LDAP Bind User.
Username: User1
Password:******

Difference between LDAP and Active Directory. In Active Directory we see a property uid associated with all profile, however in LDAP you will not find uid, instead of you will see sAMAccountName property. So you can use it in place of uid.

Let’s see how to configure cloudera manager with LDAP, as per cloudera manager documentation

Log in to Cloudera Manager Admin Console.
Select Administration > Settings.
Select External Authentication for the Category filter to display the settings.Provide the following values:

Authentication Backend Order: Database and then external
Authorization Backend Order: Database and then external
External Authentication Type: LDAP
LDAP URL: ldaps://hostname.net:636

Note: Please check the port and also make sure you have proper connectivity with this host, try telnet and ping.
LDAPS: If you are getting certificate error while connecting the LDAP URL then you have to import certificate on the server.
Please follow this link: Configuring Cloudera Manager to Use LDAPS

LDAP Bind User Distinguished Name: You can get the value of this parameter by ldapsearch utility. Install ldapsearch utility on Linux host and execute below command to know distinguished name of bind user:

$ ldapsearch -v -H ldaps://hostname.com -W -D “User1” -b “ou=users,dc=internal” -s sub ‘sAMAccountName=User1’

LDAP Bind Password: Provide bind user password
Active Directory Domain: In some cases we have to provide the value of active directory domain, here we don’t need to give it.
LDAP User Search Filter: (sAMAccountName={0})
LDAP User Search Base: ou=users,dc=internal
LDAP Group Search Filter: (member={0})
LDAP Group Search Base: ou=groups,dc=internal

My AD configuration is shown as below: