Cloudera Manager with LDAP authentification

0
votes

I'm currently trying to configure a LDAP configuration to enter to Cloudera Manager but I'm facing some difficulties to reach it.

Context: LDAP users is defined by a specific objectClass that extends Person. a DN looks like myCorporateCode=xxx,cn=users,dc=example,dc=com and the cn attribute given by the Person objectClass is initialized with the same value as myCorporateCode. LDAP user "groups" is also defined by a specific objectClass, but it doesn't extend any other objectClass than top. It's doesn't have any cn attribute, and the DN looks like myFunctionCode=yyy,cn=functions, dc=example,dc=com.

an LDAP User also have a DN attribute userFunctions to list all the "functions" (or "groups") the user is belonging to. And a LDAP "group" (or function) has a DN attribute functionUsers to list the DN of all the users belonging to this group (or having this function)

Example:

LDAP User
DN:  myCorporateCode=xxx,cn=users,dc=example,dc=com
myCorporateCode: xxx
cn: xxx
userFunctions: myFunctionCode=yyy,cn=functions, dc=example,dc=com

LDAP Function
DN: myFunctionCode=yyy,cn=functions, dc=example,dc=com
myFunctionCode: yyy
functionUsers: myCorporateCode=xxx,cn=users,dc=example,dc=com

Of course, the LDAP schema can't be changed.

Well, when I try to configure Cloudera Manager to manage the authentication and authorization throw my corporate LDAP, as I can't specify which attribute it has to consider, I can't do it work.

I think that's the problem, as the LDAP logs show me such kind of logs :

Wed Oct  7 07:45:13 2015 Search: 
connid = D564, base = cn=functions,dc=example,dc=com, 
filter = (myFunctionCode=FBGCLMTEST2*), scope = 2, 
attrs = cn objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation, 
IP = x.x.x.x, searchFlags = 0

with no result in the app (the function is reachable by such a request with ldapsearch)

I have the same behaviour with the user authentification, but as it got a cn attribute initialized with the myCorporateCode value, the authentification works.

So, is there a way to tell Cloudera Manager it has to consider specific attributes and not the cn attribute in its ldap search, as Hue does? I have the same problem with Cloudera Navigator by the way...

Thanks!

1
hadoopactive-directoryldapclouderacloudera-manager

1 Answers

0
votes

According to Cloudera, there's no way to do this : To identify the group Cloudera Manager and Navigator use the Common Name. It can't be clearer...

Anyway, Cloudera give a solution based on a script to execute as a gateway between Cloudera Manager/Navigator and the LDAP/Active Directory: http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_external_auth.html#cmug_topic_13_9_3_unique_1