Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Authentication & authorization with Multiple Active Directory domains

New Contributor

Hi Everybody,

In my organization we have a special case of 2 Active Directory domains.

All users are in ad.domain1, and OU in a ad.domain2 was used during Cloudera installation. Bind user was also created in ad.domain2. The same OU in domain2 is used to create security groups and add users from the domain1. We have trouble to configure Cloudera (HDFS, Sentry, Hive, Impala) to define user’s groups. In domain1 objectClass for users is ‘user’, but in domain2 those users are not ‘users’ but members of groups. I know how to set params for ldapsearch command:


ldapsearch -LLL -H "ldap://ad.domain2:3268" -D bind_user@ad.domain2 -W -b ou=my_ou_name,dc=ad,dc=domain2 "(&(objectClass=group)(member=CN=username1,OU=People,DC=domain1))" memberOf


This command will return the list of username1 groups in domain2. But question is – how to configure Cloudera’s CompositeGroupsMapping properties to have back the same list of groups in a format, which hdfs, sentry, hue would understand? Is it even possible with currently release of CDH?

Does anybody have the similar use case?





Hi Alex,


I don't believe CompositeGroupsMapping is not an exposed configuration in Cloudera Manager.

Are you referring to this?

New Contributor

Good Afternoon h@cloudera ,

You are correct, CompositeGroupsMapping config is not directly exposed in Cloudera Manager. Safety valve should be used to configure it.

And yes, I am referring to Apache Hadoop doc.




I don't believe we've done much testing with CDH and Composite Group Mappings but from what I understand, you'd specify the configurations for each LDAP (AD) provider individually - in the example provided in the previous link, we can see how each LDAP URL is provided; if other LDAP configurations differ such as bind user, bind password, filters, etc. those can be entered as additional properties.


All of this would go in the cluster wide core-site.xml safety valve (in HDFS configurations).


Again, haven't tested it but there are some who use it. A more robust approach would be to use tools like Centrify, VAS, SSSD, etc. to handle the AD/Linux integration.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.