Support Questions
Find answers, ask questions, and share your expertise

Ldap Groups Getting ADMIN Role Automatically while adding LDAP groups in External Authentication using API


Hi all,

I am trying to give multiple Cloudera roles to a single LDAP group.
I am using python cm_rest client and using v32 API.

LDAP_GROUPS = [{'type': 'LDAP', 'authRoles': [{'displayName': 'Full Admin', 'name': 'ROLE_ADMIN'}], 'name': 'test1'}, {'type': 'LDAP', 'authRoles': [{'displayName': 'Auditor', 'name': 'ROLE_AUDITOR'}, {'displayName': 'BDR Administrator', 'name': 'ROLE_BDR_ADMIN'}], 'name': 'test2'}, {'type': 'LDAP', 'authRoles': [{'displayName': 'Auditor', 'name': 'ROLE_AUDITOR'}, {'displayName': 'BDR Administrator', 'name': 'ROLE_BDR_ADMIN'}], 'name': 'test3'}]

external_api_instance = cm_client.ExternalUserMappingsResourceApi(api_client)
add_ldap_group(external_api_instance, LDAP_GROUPS)


In the Cloudera UI sometimes it's taking only one role "Auditor" for test2 and test3 dap group, but sometimes it takes both but added the "Full Admin" role as well for test2 and test3.


I also tried giving only the "uuid" of a particular role like

[{'type': 'LDAP', 'authRoles': [{'uuid': '45431c39-5ff6-4807-bc0a-11a140a1325e'}], 'name': 'admin'}, {'type': 'LDAP', 'authRoles': [{'uuid': '5aee620c-88bc-4bf8-82da-262f036609bf'}, {'uuid': 'e62bd0fe-7512-41a9-aa63-d764061a4a70'}], 'name': 'guest1'}, {'type': 'LDAP', 'authRoles': [{'uuid': '5aee620c-88bc-4bf8-82da-262f036609bf'}, {'uuid': 'e62bd0fe-7512-41a9-aa63-d764061a4a70'}], 'name': 'guest2'}]

but in cloudera "Administrator" Role is automatically adding to guest2 and guest1.


I Want to know whether I am updating correctly or not?

Thanks @bgooley 



Super Guru



We might need to know more about how you are creating the mappings and also see what you are seeing in the UI after each command.


One thing that stands out is the function add_ldap_group() that you are calling.  Is that a custom function?  If so, what does it do?

I think you want to call the "create_external_user_mappings" method instead as demonstrated here:


In order to get an idea what might be going on (if changing the code does not work for you) we need to know what you are seeing as unexpected in the UI.