Reply
Explorer
Posts: 14
Registered: ‎12-19-2017

[HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

Hello my dear gods of the Big Data!

 

I'm having the following problems:

 

Problem #1 - all users are login in as superusers. How is this possible? I have a 5.12 cluster and this isn't happening. On a the new one (CDH 6), Hue is giving this permission to everyone. What am I missing?

 

Problem #2 - LDAP configuration. Hue isn't using my filters!?

 

LDAP Configuration:

 

Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

[desktop]
[[ldap]]
sync_groups_on_login=true
debug_level=255
trace_level=9

 

Authentication Backend (LdapBackend ldap_url) - ldap://stuff1.stuff2.stuff3:389

LDAP Username Pattern (ldap_username_pattern) - empty

Use Search Bind Authentication (search_bind_authentication) - True

Create LDAP users on login (create_users_on_login) - True

LDAP Search Base (base_dn) - dc=stuff1,dc=stuff2,dc=stuff3
LDAP Bind User Distinguished Name (bind_dn) - CN=user,OU=stuff4,DC=stuff1,DC=stuff2,DC=stuff3
LDAP Bind Password (bind_password) - •••••••••••••••••••••
LDAP User Filter (user_filter) - empty
LDAP Username Attribute (user_name_attr) - sAMAccountName
LDAP Group Filter (group_filter) - (&(objectClass=group)(cn=GBGDATA*))
LDAP Group Name Attribute (group_name_attr) - cn
LDAP Group Membership Attribute (group_member_attr) - member
 
The idea behind this configuration is to filter all accesses to users that belong to all groups which start with "GBGDATA". 

In access.log, debug shows this:
[26/Oct/2018 14:57:52 +0100] DEBUG search_s('dc=stuff1,dc=stuff2,dc=stuff3', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=myuser,ou=stuff5,dc=stuff1,dc=stuff2,dc=stuff3
[26/Oct/2018 14:57:52 +0100] DEBUG Populating Django user myuser
[26/Oct/2018 14:57:53 +0100] WARNING 123.123.123.123 myuser - "POST /hue/accounts/login HTTP/1.1"-- Successful login for user: myuser
Why in the hell HUE is using:
(&(sAMAccountName=%(user)s)(objectclass=*))

Instead of what I've set above???

 

Thanks everyone!

Highlighted
Explorer
Posts: 14
Registered: ‎12-19-2017

Re: [HUE CDH 6.0] All users login in as superusers and LDAP filters not working.

We manage to find a... sort of... solution... I think... at least... it seems to be working.

 

Changed:

LDAP User Filter (user_filter) from empty to 

(|(memberOf=CN=GBGDATA1,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3) (memberOf=CN=GBGDATA2,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3)(memberOf=CN=GBGDATA3,OU=stuff4, OU=stuff5,DC=stuff1,DC=stuff2,DC=stuff3))

 
LDAP Group Filter (group_filter) from (&(objectClass=group)(cn=GBGDATA*)) to (objectClass=group)
 
 
Is there anyway of doing this but with a wildcard *? Like GBGDATA*?
 
If we need to put more groups... this is going to become a huge pain in the a...
Announcements