In my organization we have a special case of 2 Active Directory domains.
All users are in ad.domain1, and OU in a ad.domain2 was used during Cloudera installation. Bind user was also created in ad.domain2. The same OU in domain2 is used to create security groups and add users from the domain1. We have trouble to configure Cloudera (HDFS, Sentry, Hive, Impala) to define user’s groups. In domain1 objectClass for users is ‘user’, but in domain2 those users are not ‘users’ but members of groups. I know how to set params for ldapsearch command:
ldapsearch -LLL -H "ldap://ad.domain2:3268" -D firstname.lastname@example.org -W -b ou=my_ou_name,dc=ad,dc=domain2 "(&(objectClass=group)(member=CN=username1,OU=People,DC=domain1))" memberOf
This command will return the list of username1 groups in domain2. But question is – how to configure Cloudera’s CompositeGroupsMapping properties to have back the same list of groups in a format, which hdfs, sentry, hue would understand? Is it even possible with currently release of CDH?
Does anybody have the similar use case?