Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to get subdomain groups for LDAPGroupsMapping

Labels:
avatar
author-rank ravi1 author-rank
Guru

Created ‎07-01-2016 02:27 PM

I ran into an AD configuration where users are in several subdomains (say NA.EXAMPLE.COM and SA.EXAMPLE.COM). However most of the groups to which a user belongs to that we care about are in one subdomain (NA.EXAMPLE.COM). I was able to get users from multiple subdomains using CompositeGroupsMapping and creating separate LDAPGroupsMapping for each subdomain. However, I am only getting groups belonging to the same subdomain to which that user belongs to. Has anyone run into similar AD issues and how did you get around these?

Overall LDAPGroupsMapping uses user input to get UserDN and then queries all the groups in the domain to see if there is a UserDN in 'member' field. We are able to get all the Groups directly from 'User' using 'memberOf'. So, worst case if nothing can be done using configuration, I was thinking of overriding doGetGroups in LDAPGroupsMaping with logic to get memberOf attributes.

3,216 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank kevin_brown
New Contributor

Created ‎07-01-2016 07:02 PM

This will depend on how the forests are setup in AD, but generally you should be able to query the top level domain using the global catalog port (generally 3268 or 3269 instead of the traditional 389). Using the GC port will allow you to follow continuation referrals (referrals that send you from ldap://example.com to ldap://na.example.com)

In this case you should be able to use "ldap://EXAMPLE.COM:3268" with a base of "DC=EXAMPLE,DC=COM" which should allow you to return users and groups from all sub domains.

View solution in original post

2,769 Views
1 REPLY 1

avatar
author-rank kevin_brown
New Contributor

Created ‎07-01-2016 07:02 PM

This will depend on how the forests are setup in AD, but generally you should be able to query the top level domain using the global catalog port (generally 3268 or 3269 instead of the traditional 389). Using the GC port will allow you to follow continuation referrals (referrals that send you from ldap://example.com to ldap://na.example.com)

In this case you should be able to use "ldap://EXAMPLE.COM:3268" with a base of "DC=EXAMPLE,DC=COM" which should allow you to return users and groups from all sub domains.

2,770 Views
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements