Support Questions
Find answers, ask questions, and share your expertise

How to make Hue look at multiple AD groups for LDAP Search Base - base_dn

Explorer

Hi,

 

We are running Hue as part of CDH 6.2 (and currently upgrading to 6.3.3). We have an AD group - hue-users - which is the base_dn in the CDH Hue config. This group controls basic access to Hue.

 

I would like to add another AD group. How do I do this?

 

For context, this is so that we can split permissions between groups. One group (hue-users) is for user access (all modules). The other is for unattended service accounts, so we only want them be able to access/schedule/run Oozie jobs.

 

Edit: they're all in the same AD realm, although not necessarily the same OU path.

 

My current config is (the numbers are for reading nested AD groups)

(memberOf:1.2.840.113556.1.4.1941:=CN=hue-users,OU=x,DC=x,DC=x,DC=x)

 

I've tried (with various brackets etc):

((memberOf:1.2.840.113556.1.4.1941:=CN=hue-users,OU=x,DC=x,DC=x,DC=x) || (memberOf:1.2.840.113556.1.4.1941:=CN=service-users,OU=x,DC=x,DC=x,DC=x))

 

(|(memberOf:1.2.840.113556.1.4.1941:=CN=hue-users,OU=x,DC=x,DC=x,DC=x)(memberOf:1.2.840.113556.1.4.1941:=CN=service-users,OU=x,DC=x,DC=x,DC=x))

 

None have worked. Any suggestions?

1 ACCEPTED SOLUTION

Explorer

Solved it. This works.

 

(|(memberOf:1.2.840.113556.1.4.1941:=CN=hue-users,OU=x,DC=x,DC=x,DC=x)(memberOf:1.2.840.113556.1.4.1941:=CN=service-users,OU=x,DC=x,DC=x,DC=x))

View solution in original post

2 REPLIES 2

Explorer

EDIT: which is the base_dn in the CDH Hue config

 

It's the 

LDAP User Filter
user_filter
Not the base_dn

Explorer

Solved it. This works.

 

(|(memberOf:1.2.840.113556.1.4.1941:=CN=hue-users,OU=x,DC=x,DC=x,DC=x)(memberOf:1.2.840.113556.1.4.1941:=CN=service-users,OU=x,DC=x,DC=x,DC=x))

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.