Reply
Highlighted
New Contributor
Posts: 3
Registered: ‎10-23-2015

Authentication & authorization with Multiple Active Directory domains

Hi Everybody,

In my organization we have a special case of 2 Active Directory domains.

All users are in ad.domain1, and OU in a ad.domain2 was used during Cloudera installation. Bind user was also created in ad.domain2. The same OU in domain2 is used to create security groups and add users from the domain1. We have trouble to configure Cloudera (HDFS, Sentry, Hive, Impala) to define user’s groups. In domain1 objectClass for users is ‘user’, but in domain2 those users are not ‘users’ but members of groups. I know how to set params for ldapsearch command:

 

ldapsearch -LLL -H "ldap://ad.domain2:3268" -D bind_user@ad.domain2 -W -b ou=my_ou_name,dc=ad,dc=domain2 "(&(objectClass=group)(member=CN=username1,OU=People,DC=domain1))" memberOf

 

This command will return the list of username1 groups in domain2. But question is – how to configure Cloudera’s CompositeGroupsMapping properties to have back the same list of groups in a format, which hdfs, sentry, hue would understand? Is it even possible with currently release of CDH?

Does anybody have the similar use case?

Thanks,

Alex

Cloudera Employee
Posts: 39
Registered: ‎12-14-2016

Re: Authentication & authorization with Multiple Active Directory domains

Hi Alex,

 

I don't believe CompositeGroupsMapping is not an exposed configuration in Cloudera Manager.

Are you referring to this?

New Contributor
Posts: 3
Registered: ‎10-23-2015

Re: Authentication & authorization with Multiple Active Directory domains

Good Afternoon h@cloudera ,

You are correct, CompositeGroupsMapping config is not directly exposed in Cloudera Manager. Safety valve should be used to configure it.

And yes, I am referring to Apache Hadoop doc.

Thanks,

Alex

Cloudera Employee
Posts: 39
Registered: ‎12-14-2016

Re: Authentication & authorization with Multiple Active Directory domains

I don't believe we've done much testing with CDH and Composite Group Mappings but from what I understand, you'd specify the configurations for each LDAP (AD) provider individually - in the example provided in the previous link, we can see how each LDAP URL is provided; if other LDAP configurations differ such as bind user, bind password, filters, etc. those can be entered as additional properties.

 

All of this would go in the cluster wide core-site.xml safety valve (in HDFS configurations).

 

Again, haven't tested it but there are some who use it. A more robust approach would be to use tools like Centrify, VAS, SSSD, etc. to handle the AD/Linux integration.

Announcements