Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Setting up LDAP/AD in Knox

avatar
Super Collaborator

Hi,

I have a problem with configuring LDAP/AD with Knox. The DEMO LDAP works great for both: sandbox and my own cluster. I am configuring LDAP connection using this document: Setting Up LDAP Authentication. I configured main.ldapRealm.userDnTemplate and main.ldapRealm.contextFactory.url. I tried both classes in main.ldapRealm (KnoxLdapRealm and Jndi...) I am using Ambari to make changes. The versions I use is: sandbox - 2.4.0 and my cluster 2.3.2. When I configure my LDAP - Knox keeps saying that I am unauthorized (401). The credentials are correct because I can use them to log in beeline which is also configured with LDAP + AD.

Do I need to change Advanced users-ldif section in Ambari as well?

Thank you in advance.

1 ACCEPTED SOLUTION

avatar

If your users belong to different branches of the LDAP directory you'll need to use Advanced LDAP Authentication in the Knox topology. Review the linked doc to understand the limitations of userDnTemplate, and refer to the "Example provider config" section to understand the additional properties available.

There should be log messages in gateway.log corresponding to the 401. Those might provide more insight into the reason for the error, so please provide them if possible.

View solution in original post

3 REPLIES 3

avatar

If your users belong to different branches of the LDAP directory you'll need to use Advanced LDAP Authentication in the Knox topology. Review the linked doc to understand the limitations of userDnTemplate, and refer to the "Example provider config" section to understand the additional properties available.

There should be log messages in gateway.log corresponding to the 401. Those might provide more insight into the reason for the error, so please provide them if possible.

avatar
Super Collaborator

Thank you very much @Alex Miller for your quick response. According to doc that you linked and log I found out that I had misconfigured userDnTemplate.

I have another problem. In my AD/LDAP I am using sAMAccountName to identify user, so I need to type at the begging of userDnTemplate something like: sAMAccountName={0},ou=... so on, but it does not recognize users. I cant use cn={0} because as a cn I use two separate words - so I will not work. I dont use uid, and I am not AD admin to add or edit anything.

avatar
Super Collaborator

I found the solution. If anyone else is facing the same problem, review this link and use @bsaini topology. Thanks!