Reply
Contributor
Posts: 29
Registered: ‎09-24-2014

Cloudera Navigator External Authentication with FreeIPA

[ Edited ]

I am having issues with configuring external authentication for Cloudera Navigator with FreeIPA (OpenLDAP compatible). Following instructions "Configuring Cloudera Navigator Authentication Using an OpenLDAP-compatible Server" found here http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cn_sg_external_auth.htm...

 

  • In the External Authentication Type, select LDAP - DONE
  • In the LDAP URL property, provide the URL of the LDAP server and (optionally) the base Distinguished Name (DN) (the search base) as part of the URL — for example ldap://ldap-server.corp.com/dc=corp,dc=com. - DONE (experimented with both ldaps://MY_FREEIPA_SERVER and ldaps://MY_FREEIPA_SERVER/dc=platform,dc=***
  • In the Bind Distinguished Name property, enter the distinguished name of the user to bind as. This is used to connect to the LDAP server for searching groups and to get other user information. - DONE (I used my own IPA user ID to get this to work first, I am an admin user)
  • In the LDAP Bind Password property, enter the password for the bind user entered above.

 

 

Other configurations: 

LDAP Distinguished Name Pattern: uid={0}

LDAP User Search Base: cn=accounts,dc=platform,dc=***

 

I was able to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen:

$ ldapsearch -D 'uid=MY_USER,cn=users,cn=accounts,dc=platform,dc=***' -W -b 'cn=users,cn=accounts,dc=platform,dc=***' localhost uid

 

The reason why I am using LDAPS (I did try just an "ldap" at first) is because URI is configured by our FreeIPA scripts at launch (http://www.freeipa.org/page/HowTo/LDAP):

$ cat /etc/openldap/ldap.conf
#File modified by ipa-client-install

URI ldaps://MY_FREEIPA_SERVER
BASE dc=platform,dc=***
TLS_CACERT /etc/ipa/ca.crt

 

$ ls /etc/openldap/ldap.conf
/etc/openldap/ldap.conf

 

We are using Release 3 (http://www.freeipa.org/page/Releases/3.0.0) and this is working for external auth for Cloudera Manager, HUE and other non-Hadoop components integrated within the platform.

 

Still unable to login though

 

Screenshot 2015-09-26 15.30.56.png

 

Cloudera Employee
Posts: 8
Registered: ‎08-18-2015

Re: Cloudera Navigator External Authentication with FreeIPA

Hi,

 

Can you please look at Navigator server log to see if there are any errors. Also, if you enable logging for spring security then it will print out

message that may help in figuring out what is going wrong. To enable this logging, in CM go to "Cloduera Management Services" -> "Configuration" ->

"Navigator Metadata Server Logging Advanced Configuration Snippet (Safety Valve)" and add following: 

 

log4j.logger.org.springframework.security=DEBUG

 

After that restart the server and try logging in. The log file now contains debug messages that may help with figuring out what is going wrong.

Highlighted
New Contributor
Posts: 3
Registered: ‎03-07-2016

Re: Cloudera Navigator External Authentication with FreeIPA

Any updates on status of Nav working with FreeIPA / IdM - running into similar issues with 5.10?

Announcements
New solutions