Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

External Authentication Active Directory (AD) Cloudera Enterprise Trial 5.14.3

New Contributor

We are evaluating an Azure marketplace Cloudera Enterprise Trial for the purpose of BI.  We have nearly everything configured except External Authentication against A.D.  We have configured Kerberos within Cloudera manager successfully and have also tested successful LDAP queries via a Windows server in Azure against our on premise A.D. servers.


But, no matter the configuration we have set in the External Authentication page, we cannot get it to work.

  • Type
    • AD
    • LDAP
  • URL
    • ldap & ldaps
  • Bind User
    • CN=username,OU=Hadoop,OU=Prod,OU=ServiceAccounts,OU=Users,OU=Site,DC=domain,DC=org
    • username
  • AD Domain
    • Blank
  • User search filter
    • (sAMAccountName={0})
    • (uid={0})
    • (userPrincipalName={0})
  • Update both User/Group
    • OU=Users,OU=Site,DC=domain,DC=org
    • OU=Prod,OU=Roles,OU=Security,OU=Groups,OU=Site,DC=domain,DC=org
  • On Logon
    • username
    • NETBIOSDOMAIN\username
  • Domain Controller Event Logs, showed no attempt by the Bind account

Is there any limitations of the Enterprise Trial that might prevent this?  Or where are the logs on the system related to the External Authentication?






Cloudera Employee

@dchu You can check the CM server log at /var/log/cloudera-scm-server/cloudera-scm-server.log while you attempt to log in to see what the exception is (if there is one).


Can you show an example query using ldapsearch to return a user? (redact anything you don't want seen publicly)

New Contributor

Thank you, that path does not show when doing an LS under /var/log, but cd /var/log/cloudera-scm-server does work... I made a few attempts using different username styles (username,, domain/username) and in the log it says "LDAP/AD authentication failed" / "Authentication failure for user: 'username' from x.x.x.219" for each attempt... this is my personal account and I know I am entering my password correctly.


I also know I am a member of the group "UsrGrpFullAdmin" which is the group configured to be "LDAP Full Administrators Group."


Could this suggest there is a problem with the bind account (which is different then the account I am using to log in via the main page).  How should the bind account be typed for A.D.? (i.e.)


  • CN=username,OU=Hadoop,OU=Prod,OU=ServiceAccounts,OU=Users,OU=Site,DC=domain,DC=org
  • username

I ran the following successfully from the Cloudera Management server via SSH:

ldapsearch -h x.x.x.x -b OU=Site,DC=domain,DC=org -x -w 'password' -D CN=username,OU=Hadoop,OU=Prod,OU=ServiceAccounts,OU=Users,OU=Site,DC=domain,DC=org sAMAccountName=endusername


What was interesting, it was finicky with the password.  But with the single quotes it was successful.  Both the server via IP and FQDN worked.


Are there any limitations regarding the password or what not?

Cloudera Employee

Use LDAP binding and set the bind username to what you set here (along with the bind password in CM):




Then from the output of your ldapsearch make sure the attributes and membership are what you expect and have configured in CM.



You can also test the ldap config set in CM with the following: (grab the one with dependencies) (for sample config)


On the CM node:

java -classpath '/usr/share/cmf/common_jars/*:./cmldap-v1.0.0-cm5.jar' ''





New Contributor

I have tried everything I can think of - but it always fails.  I can query with no problems using the ldapsearch from the shell of the Cloudera server; however, no matter the configuration it seems to fail...


  • Authentication failure for user: 'username' from x.x.x.x
    • Incorrect result size: expected 1, actual 0
  • LDAP/AD authentication failure for
    • Bad credentials
  • LDAP/AD authentication failure for DOMAIN\username
    • Bad credentials

I have tried a simplier password for the bind account, more narrowed/broad user/group base DNs, different user accounts for the bind, various search filters...


We have 2x domains (1x & a sub domain - the host I am pointing the config to is a domain controller for - all the users sit in this domain.


I have tried with a blank and populated A.D. directory domain...

Cloudera Employee

Try the jar I linked you first and as a note CM doesn't follow referrals so you may have to use the global catalog port.

New Contributor

Sorry, I missed the jar file...  But I actually got it working...  Turns out we thought going to "Clusters" - selecting the cluster - Actions - Restart, did not actually restart the necessary services. Every change I made, no matter how drastic, it still reported the same errors in the log.


After finding the correct way to restart the necessary services [Link], the errors started to make more sense. Now I cannot get it to work using “Active Directory,” I wonder if because of referrals [Link], but it does work using LDAP now which is fine by us… Thanks for the help/insight!

Cloudera Employee

I thought you were restarting the CM server each time but I'm glad you figured it out!

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.