Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger authentication using LDAP/AD

Ranger authentication using LDAP/AD

New Contributor

Do we need only the below parameters to configure to implement Ranger authentication using LDAP/AD ?

1A : common configs

LDAP/AD URL :

Bind Anonymous :

Bind User :

Bind User Password **********

1b : user configs

Username Attribute :

User Object Class :

User Search Base :

User Search Filter :

User Search Scope :

User Group Name Attribute :

Group User Map Sync :

1c: Group configs

Group Member Attribute

Group Name Attribute

Group Object Class

Group Search Base

Group Search Filter

******************* hdfs core-site.xml **********

hadoop.security.group.mapping =

hadoop.security.group.mapping.ldap.bind.user =

hadoop.security.group.mapping.ldap.bind.password =

hadoop.security.group.mapping.ldap.url =

hadoop.security.group.mapping.ldap.url =

hadoop.security.group.mapping.ldap.base =

hadoop.security.group.mapping.ldap.search.filter.user =

hadoop.security.group.mapping.ldap.search.filter.group =

hadoop.security.group.mapping.ldap.search.attr.member =

hadoop.security.group.mapping.ldap.search.attr.group.name =

What information i should reqeust from my security / AD team, to punch in above variables?

Thanks

JJ

2 REPLIES 2

Re: Ranger authentication using LDAP/AD

Super Guru

@Jacqualin jasmin

First the easy part. values in core-site.xml are required if you wan't to integrate HDFS with LDAP. That's independent of Ranger.

Your 1A is required. In most cases you won't do anonymous bind, so I would ask for bind user and bind password. However, if you are doing anonymous bind, then bind user and of course its password is not required.

1b and 1c is what determines which tree within LDAP will be searched to authenticate users. Your admin team can help you figure out those values. There is no way, I can tell you what they will be for your organization.

For example, I have a cluster at my home. My bind user DN is "cn=Manager,dc=venice,dc=hadoop" <I am of course not sharing password :)>

Then I have search base which is "ou=people" (you'll probably have something similar) and then similar values for groups. You need to talk to your admin team, but hope this helps guide the conversation.

Re: Ranger authentication using LDAP/AD

New Contributor

got bleow info from my Active Directory Admin

Username: ldapsauth

Password: dnaoda9baia

ldaps://adserver.prod.datasource.com/

Base DN: ou=core,dc=adserver,dc=prod,dc=datasource,dc=com

My Ranger configuration are as below.

Ranger ---> configuration ----> Ranger user info : below configuraiton

enable usersync : yes

sync source : LDAP/AD

******** common configs **********

LDAP/AD URL :ldaps://adserver.prod.datasource.com/

Bind Anonymous : no

Bind User : ldapsauth

Bind User Password : dnaoda9baia

************** user configs **********

Username Attribute : sAMAccountName

User Object Class : person

User Search Base : ou=core, dc=adserver, dc=prod, dc=datasource, dc=com

User Search Filter :

User Search Scope : sub

User Group Name Attribute : memberof, ismemberof

Group User Map Sync : yes

***************** Group configs **********

Group Member Attribute : member

Group Name Attribute : distinguishedName

Group Object Class : groupofnames

Group Search Base : ou=core,dc=adserver,dc=prod,dc=datasource,dc=com

Group Search Filter : cn=*

***************** hive server 2 ldap configuration *********

hive.server2.authentication : LDAP

hive.server2.authentication.ldap.url : ldaps://adserver.prod.datasource.com/

hive.server2.authentication.ldap.baseDN : ou=core,dc=adserver,dc=prod,dc=datasource,dc=com

hive.server2.authentication.ldap.Domain : prod.datasource.com

***********

hive beeline test fails with below error

!connect jdbc:hive2://node2.hadoop.datasource.com:10000/default user=<ldap username > password= <ldap password>

Error: Could not open client transport with JDBC Uri: jdbc:hive2://node2.hadoop.datasource.com:10000/default: Peer indicated failure: Error validating the login (state=08S01,code=0)

Thanks

JJ