LDAP group provider#
SEP can be configured to map user names to groups using an LDAP server.
Configuration#
To enable LDAP group mapping for SEP, configuration changes are made on the coordinator. No changes are required to the worker configuration.
Environment configuration#
The LDAP server should use SSL, for details on how to set it up see the LDAP documentation.
LDAP group provider configuration#
Group provider needs to be configured to use LDAP. Create an
etc/group-provider.properties
file on the coordinator. Example:
group-provider.name=ldap
ldap.ssl=true
ldap.ssl.keystore.path=PATH_TO_KEYSTORE
ldap.ssl.keystore.password-file=KEYSTORE_PASSWORD_FILE
ldap.url=ldaps://ldap-server:636
ldap.user=cn=admin,dc=presto,dc=testldap,dc=com
ldap.password=admin
ldap.search-base=dc=presto,dc=testldap,dc=com
ldap.group.search-filter=(objectClass=groupOfNames)
ldap.group.member-attribute=member
ldap.group.name-attribute=cn
ldap.user.member-of-attribute=memberOf
ldap.user.search-filter=(&(objectClass=inetOrgPerson)(uid={0}))
ldap.cache-ttl=10s
ldap.negative-cache-ttl=30s
Property name |
Description |
---|---|
|
Enable TLS/SSL encryption for the connection to the LDAP server. The
certificate of the LDAP server needs to be a globally trusted certificate,
and therefore accepted by the JVM running SEP or added to the JVM
truststore in the |
|
Path to the keystore with the SSL certificate. |
|
Keystore password. |
|
Path to the file containing the keystore password. |
|
The URL to the LDAP server. |
|
This property can be used to specify the LDAP user bind string for group resolution. |
|
Password used to connect to LDAP server. |
|
Which subtree of the LDAP hierarchy to query. |
|
Filter used to find group objects. |
|
Attribute of a group object containing it’s members. |
|
Attribute of a group object containing it’s name. |
|
How many levels of the group hierarchy to traverse. |
|
Attribute of a user object containing it’s group memberships. If set, the
group names are resolved from the attribute of the user object. No LDAP
group search is performed and |
|
Filter used to find user objects. |
|
Timeout for directory search operations. |
|
Timeout for establishing an LDAP connection. |
|
Timeout for reading data from an LDAP connection. |
|
Duration of caching user group lookups. |
|
Duration of caching user not found results. |
|
A comma-separated list of Hadoop XML config files, useful if Hadoop was already configured to use LDAP groups. |
Based on the LDAP server implementation type, the properties can be set as described below.
Active Directory#
ldap.user=<service user>@<domain_name_of_the_server>
ldap.password=<sevice user password>
ldap.user.search-filter=(&(objectClass=<objectclass_of_user>)(sAMAccountName={0}))
Example:
ldap.user=admin@corp.example.com
ldap.password=password
ldap.user.search-filter=(&(objectClass=person)(sAMAccountName={0}))
OpenLDAP#
ldap.user=cn=<service user>,<distinguished_name_of_the_user>
ldap.password=<sevice user password>
ldap.user.search-filter=(&(objectClass=<objectclass_of_user>)(uid={0}))
Example:
ldap.user=cn=admin,OU=America,DC=corp,DC=example,DC=com
ldap.password=password
ldap.user.search-filter=(&(objectClass=inetOrgPerson)(uid={0}))
The LDAP group provider implementation first tries to use the user object attribute
provided by ldap.user.member-of-attribute
. Typically it’s value is
memberOf
. It’s used to resolve group names from the attribute directly. No
LDAP search for groups is performed. As a result ldap.group.search-filter
is ignored.
If ldap.user.member-of-attribute
isn’t configured, the provider performs an
LDAP Search to find groups, which the user is member of, by applying
ldap.group.search-filter
. For each found group, the system traverses up in
the group objects hierarchy and include the parent group names to the returned
set. Traversing is performed up to number of levels configured by
ldap.group.hierarchy-level
.
This means OpenLDAP query latency can be reduced by enabling the
ldap.user.member-of-attribute
overlay to avoid the additional
group search. However you can’t set ldap.group.search-filter
. Active
Directory servers typically have this attribute enabled.
Troubleshooting#
Consult the LDAP documentation for tips on troubleshooting.