Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Cloudera Navigator External Authentication with FreeIPA

Cloudera Navigator External Authentication with FreeIPA


I am having issues with configuring external authentication for Cloudera Navigator with FreeIPA (OpenLDAP compatible). Following instructions "Configuring Cloudera Navigator Authentication Using an OpenLDAP-compatible Server" found here


  • In the External Authentication Type, select LDAP - DONE
  • In the LDAP URL property, provide the URL of the LDAP server and (optionally) the base Distinguished Name (DN) (the search base) as part of the URL — for example ldap://,dc=com. - DONE (experimented with both ldaps://MY_FREEIPA_SERVER and ldaps://MY_FREEIPA_SERVER/dc=platform,dc=***
  • In the Bind Distinguished Name property, enter the distinguished name of the user to bind as. This is used to connect to the LDAP server for searching groups and to get other user information. - DONE (I used my own IPA user ID to get this to work first, I am an admin user)
  • In the LDAP Bind Password property, enter the password for the bind user entered above.



Other configurations: 

LDAP Distinguished Name Pattern: uid={0}

LDAP User Search Base: cn=accounts,dc=platform,dc=***


I was able to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen:

$ ldapsearch -D 'uid=MY_USER,cn=users,cn=accounts,dc=platform,dc=***' -W -b 'cn=users,cn=accounts,dc=platform,dc=***' localhost uid


The reason why I am using LDAPS (I did try just an "ldap" at first) is because URI is configured by our FreeIPA scripts at launch (

$ cat /etc/openldap/ldap.conf
#File modified by ipa-client-install

BASE dc=platform,dc=***
TLS_CACERT /etc/ipa/ca.crt


$ ls /etc/openldap/ldap.conf


We are using Release 3 ( and this is working for external auth for Cloudera Manager, HUE and other non-Hadoop components integrated within the platform.


Still unable to login though


Screenshot 2015-09-26 15.30.56.png



Re: Cloudera Navigator External Authentication with FreeIPA

Cloudera Employee



Can you please look at Navigator server log to see if there are any errors. Also, if you enable logging for spring security then it will print out

message that may help in figuring out what is going wrong. To enable this logging, in CM go to "Cloduera Management Services" -> "Configuration" ->

"Navigator Metadata Server Logging Advanced Configuration Snippet (Safety Valve)" and add following:


After that restart the server and try logging in. The log file now contains debug messages that may help with figuring out what is going wrong.

Re: Cloudera Navigator External Authentication with FreeIPA

New Contributor

Any updates on status of Nav working with FreeIPA / IdM - running into similar issues with 5.10?