https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142076#M27994 <P>Thank you very much <A rel="user" href="https://community.cloudera.com/users/63/amiller.html" nodeid="63">@Alex Miller</A> for your quick response. According to doc that you linked and log I found out that I had misconfigured <EM>userDnTemplate</EM>.</P><P>I have another problem. In my AD/LDAP I am using <EM>sAMAccountName</EM> to identify user, so I need to type at the begging of <EM>userDnTemplate</EM> something like: <EM>sAMAccountName={0},ou=</EM>... so on, but it does not recognize users. I cant use <EM>cn={0}</EM> because as a <EM>cn</EM> I use two separate words - so I will not work. I dont use <EM>uid</EM>, and I am not AD admin to add or edit anything.</P> Thu, 12 May 2016 01:57:45 GMT frank93 2016-05-12T01:57:45Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142074#M27992 <P> Hi,</P><P> I have a problem with configuring LDAP/AD with Knox. The DEMO LDAP works great for both: sandbox and my own cluster. I am configuring LDAP connection using this document: <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Knox_Gateway_Admin_Guide/content/setting_up_ldap_authentication.html">Setting Up LDAP Authentication</A>. I configured main.ldapRealm.userDnTemplate and main.ldapRealm.contextFactory.url. I tried both classes in main.ldapRealm (KnoxLdapRealm and Jndi...) I am using Ambari to make changes. The versions I use is: sandbox - 2.4.0 and my cluster 2.3.2. When I configure my LDAP - Knox keeps saying that I am unauthorized (401). The credentials are correct because I can use them to log in beeline which is also configured with LDAP + AD.</P><P>Do I need to change Advanced users-ldif section in Ambari as well?</P><P>Thank you in advance.</P> Wed, 11 May 2016 21:28:25 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142074#M27992 frank93 2016-05-11T21:28:25Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142075#M27993 <P>If your users belong to different branches of the LDAP directory you'll need to use <A href="http://knox.apache.org/books/knox-0-6-0/user-guide.html#Advanced+LDAP+Authentication">Advanced LDAP Authentication</A> in the Knox topology. Review the linked doc to understand the limitations of userDnTemplate, and refer to the "Example provider config" section to understand the additional properties available.</P><P>There should be log messages in gateway.log corresponding to the 401. Those might provide more insight into the reason for the error, so please provide them if possible.</P> Wed, 11 May 2016 22:10:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142075#M27993 amiller 2016-05-11T22:10:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142076#M27994 <P>Thank you very much <A rel="user" href="https://community.cloudera.com/users/63/amiller.html" nodeid="63">@Alex Miller</A> for your quick response. According to doc that you linked and log I found out that I had misconfigured <EM>userDnTemplate</EM>.</P><P>I have another problem. In my AD/LDAP I am using <EM>sAMAccountName</EM> to identify user, so I need to type at the begging of <EM>userDnTemplate</EM> something like: <EM>sAMAccountName={0},ou=</EM>... so on, but it does not recognize users. I cant use <EM>cn={0}</EM> because as a <EM>cn</EM> I use two separate words - so I will not work. I dont use <EM>uid</EM>, and I am not AD admin to add or edit anything.</P> Thu, 12 May 2016 01:57:45 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142076#M27994 frank93 2016-05-12T01:57:45Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142077#M27995 <P>I found the solution. If anyone else is facing the same problem, review this <A href="https://community.hortonworks.com/questions/1783/does-knox-support-active-directory-searches-using.html">link</A> and use <A rel="user" href="https://community.cloudera.com/users/191/bsaini.html" nodeid="191">@bsaini</A> topology. Thanks!</P> Thu, 12 May 2016 02:24:46 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Setting-up-LDAP-AD-in-Knox/m-p/142077#M27995 frank93 2016-05-12T02:24:46Z