Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

External authentication with AD and Cloudera Manager 5

Solved Go to solution

External authentication with AD and Cloudera Manager 5

Explorer

Hi,

 

I tried to configure external authentication with AD on CDM5 but it' failed, i've the following errors into cloudera-scm-server.log file :

 

2014-08-15 19:26:43,229  INFO [1244120161@scm-web-5:ad.ActiveDirectoryLdapAuthenticationProvider@183] Active Directory authentication failed: Supplied password was invalid
2014-08-15 19:26:43,232  INFO [1244120161@scm-web-5:cmf.CmfLdapAuthenticationProvider@107] LDAP/AD authentication failure for administrateur@dg.local
2014-08-15 19:26:43,243  INFO [1244120161@scm-web-5:cmf.AuthenticationFailureEventListener@19] Authentication failure for user: administrateur@dg.local

 

Here is my configuration :

 

ad_error.jpg

 

I've sucessfully configured kerberos AD authentication for all hadoop services but just for cdm not !

 

Could you please help me ?

 

regards.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: External authentication with AD and Cloudera Manager 5

Super Collaborator

Here is a screenshot of a working configuration.

 

Settings_-_Cloudera_Manager.png

7 REPLIES 7

Re: External authentication with AD and Cloudera Manager 5

New Contributor

 

documentaion : http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_external_auth.htm...

 

Configuring Authentication Using Active Directory

 

 

set.png

 

 

 

 

 

 

ploblem.png

 

I'm also have this problem. 

Problem was solved? 

Re: External authentication with AD and Cloudera Manager 5

Explorer

yes thank you for your reply.

Re: External authentication with AD and Cloudera Manager 5

Super Collaborator

Here is a screenshot of a working configuration.

 

Settings_-_Cloudera_Manager.png

Highlighted

Re: External authentication with AD and Cloudera Manager 5

Explorer

Used Grizzly's screenshot as reference and was able to set External authentication with Active directory.

But running into this error for ONLY ONE user. Any ideas on how to troubleshoot this?

Created new post as I was not sure if this was still active.

Thanks!

Re: External authentication with AD and Cloudera Manager 5

Super Collaborator

Hi,

 

Is it planned to add this ability to the express cloudera manager version? is there any similar thing i can do woth the express version?

Re: External authentication with AD and Cloudera Manager 5

Super Guru

@Fawze,

 

Currently, LDAP authentication for Cloudera Manager is only available in Cloudera Enterprise as outlined here:

 

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_ig_feature_differences.html

 

If you wish to discuss licensing options with Sales, the following form can be used:

 

https://www.cloudera.com/contact-sales.html

 

Ben

 

 

Re: External authentication with AD and Cloudera Manager 5

Super Guru

@nkumari,

 

For the one user, what message are you seeing, exactly, in the UI when they try to log in?

Since Active Directory authentication will concatenate the username provided in the UI with an '@' character and then the domain you specified to form a userPrincipalName.

 

For example, if you login with 'myname' and your "Active Directory NT Domain" configuration in Cloudera Manager is "example.com" then the userPrincipalName used to authenticate to AD is:

 

myname@example.com

 

This works most of the time, but it will fail if the login string used does not match the left part of the user's userPrincipalName attribute in Active Directory.  Sometimes the userPrincipalName shortname (left of the '@' sign) does not match the sAMAccountName that users often use as their login.

 

I'd check to the value the user who can't login is using as their username and see if the userPrincipalName that it generates in for authentication matches the userPrincipalName that exists for that user in their AD object.

 

The problem could be something else, but the issue I described is something we have see from time to time.

 

The remedy, then would be to use LDAP as the external authenitication method.