I'm currently trying to configure a LDAP configuration to enter to Cloudera Manager but I'm facing some difficulties to reach it.
Context: LDAP users is defined by a specific objectClass that extends Person. a DN looks like myCorporateCode=xxx,cn=users,dc=example,dc=com and the cn attribute given by the Person objectClass is initialized with the same value as myCorporateCode. LDAP user "groups" is also defined by a specific objectClass, but it doesn't extend any other objectClass than top. It's doesn't have any cn attribute, and the DN looks like myFunctionCode=yyy,cn=functions, dc=example,dc=com.
an LDAP User also have a DN attribute userFunctions to list all the "functions" (or "groups") the user is belonging to. And a LDAP "group" (or function) has a DN attribute functionUsers to list the DN of all the users belonging to this group (or having this function)
Example:
LDAP User
DN: myCorporateCode=xxx,cn=users,dc=example,dc=com
myCorporateCode: xxx
cn: xxx
userFunctions: myFunctionCode=yyy,cn=functions, dc=example,dc=com
LDAP Function
DN: myFunctionCode=yyy,cn=functions, dc=example,dc=com
myFunctionCode: yyy
functionUsers: myCorporateCode=xxx,cn=users,dc=example,dc=com
Of course, the LDAP schema can't be changed.
Well, when I try to configure Cloudera Manager to manage the authentication and authorization throw my corporate LDAP, as I can't specify which attribute it has to consider, I can't do it work.
I think that's the problem, as the LDAP logs show me such kind of logs :
Wed Oct 7 07:45:13 2015 Search:
connid = D564, base = cn=functions,dc=example,dc=com,
filter = (myFunctionCode=FBGCLMTEST2*), scope = 2,
attrs = cn objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation,
IP = x.x.x.x, searchFlags = 0
with no result in the app (the function is reachable by such a request with ldapsearch)
I have the same behaviour with the user authentification, but as it got a cn attribute initialized with the myCorporateCode value, the authentification works.
So, is there a way to tell Cloudera Manager it has to consider specific attributes and not the cn attribute in its ldap search, as Hue does? I have the same problem with Cloudera Navigator by the way...
Thanks!