Support Questions
Find answers, ask questions, and share your expertise

Altus Director integration with Active Directory

Solved Go to solution
Highlighted

Altus Director integration with Active Directory

Scenario:

I recently integrated Altus Director with Active Directory for role based authentication & authorisation. After implementation I noticed that the default admin credential (admin/admin) was not working anymore, which was expected.

 

My question is:

  1. Is it possible/recommended to create another 'admin' user in Altus director (or in Active Directory) as a master credential just for back-up?
  2. Do Altus Director have a Authentication Backend Order (eg. Database then External) like we have in Cloudera Manager?
  3. Suppose, if a user is present in admin group as well as readonly group, then what role does Altus Director assumes for that user?

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Altus Director integration with Active Directory

Contributor

Is it possible/recommended to create another 'admin' user in Altus director (or in Active Directory) as a master credential just for back-up?


Rather than granting individual users the Admin role, when you integrate Director with Active Directory, you can map an Active Directory group to the Admin role by setting the following property:

 

lp.security.ldapConfig.activeDirectory.roleMapping.DirectorAdminGroupCn: <ADMIN_GROUP_CN>

 

With this, once you start Director, all the users in that AD group will already have admin privileges.

 


Do Altus Director have a Authentication Backend Order (eg. Database then External) like we have in Cloudera Manager?


As far as I know the lp.security.userSource parameter only accepts two values: LDAP and internal, and they are mutually exclusive.

 


Suppose, if a user is present in admin group as well as readonly group, then what role does Altus Director assumes for that user?

The union of the privileges, so the user will be an Admin.

View solution in original post

3 REPLIES 3
Highlighted

Re: Altus Director integration with Active Directory

Contributor

Is it possible/recommended to create another 'admin' user in Altus director (or in Active Directory) as a master credential just for back-up?


Rather than granting individual users the Admin role, when you integrate Director with Active Directory, you can map an Active Directory group to the Admin role by setting the following property:

 

lp.security.ldapConfig.activeDirectory.roleMapping.DirectorAdminGroupCn: <ADMIN_GROUP_CN>

 

With this, once you start Director, all the users in that AD group will already have admin privileges.

 


Do Altus Director have a Authentication Backend Order (eg. Database then External) like we have in Cloudera Manager?


As far as I know the lp.security.userSource parameter only accepts two values: LDAP and internal, and they are mutually exclusive.

 


Suppose, if a user is present in admin group as well as readonly group, then what role does Altus Director assumes for that user?

The union of the privileges, so the user will be an Admin.

View solution in original post

Re: Altus Director integration with Active Directory


lp.security.ldapConfig.activeDirectory.roleMapping.DirectorAdminGroupCn: <ADMIN_GROUP_CN>


As per the documentation and my understanding the proper syntax would be

lp.security.ldapConfig.activeDirectory.roleMapping.<Active_Directory_Group_CN>: <ADMIN> / <READONLY>

 

Please correct me if I'm wrong.

 

Thank you.

 

Highlighted

Re: Altus Director integration with Active Directory

Contributor

Yes, your understanding is correct.

Don't have an account?