Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Sentry pre-loading user groups from LDAP/Active Directory

Highlighted

Sentry pre-loading user groups from LDAP/Active Directory

Explorer

We currenly use SSSD on all of our boxes to provide groups information about users on our secure cluster. It fetches users' groups from an Active Directory/LDAP server which is far away and so slow. I can cache the results for some time but that still results in an initial slow request the first time, and we of course have lots of machines. SSSD doesn't share its cache with other SSSD systems. 

 

I have heard that it is possible for Sentry to connect to AD and read all the user groups in a LDAP domain. I could then use this information in authorization requests instead of SSSD. 

 

However I can't find any documentation for this. 

 

Is this a valid deployment option? What do I need to read to get Sentry to pre-load an AD domain. Does it filter on users who are in a specific group or does it fetch everything? 

 

Thanks!

 

Alex