LDAP group provider#
SEP can be configured to map user names to groups using an LDAP server.
Configuration#
To enable LDAP group mapping for SEP, configuration changes are made on the coordinator. No changes are required to the worker configuration.
Environment configuration#
The LDAP server should use SSL, for details on how to set it up see the LDAP documentation.
LDAP group provider configuration#
Group provider needs to be configured to use LDAP. Create an
etc/group-provider.properties file on the coordinator. Example:
group-provider.name=ldap
ldap.ssl=true
ldap.ssl.keystore.path=PATH_TO_KEYSTORE
ldap.ssl.keystore.password-file=KEYSTORE_PASSWORD_FILE
ldap.url=ldaps://ldap-server:636
ldap.user=cn=admin,dc=presto,dc=testldap,dc=com
ldap.password=admin
ldap.search-base=dc=presto,dc=testldap,dc=com
ldap.group.search-filter=(objectClass=groupOfNames)
ldap.group.member-attribute=member
ldap.group.name-attribute=cn
ldap.user.member-of-attribute=memberOf
ldap.user.search-filter=(&(objectClass=inetOrgPerson)(uid={0}))
ldap.cache-ttl=10s
ldap.negative-cache-ttl=30s
Property |
Description |
|---|---|
|
Enable TLS/SSL encryption for the connection to the LDAP server. The certificate of the LDAP server needs to be a globally trusted certificate, and therefore accepted by the JVM running SEP or added to the JVM truststore in the |
|
Path to the keystore with the SSL certificate. |
|
Keystore password. |
|
Path to the file containing the keystore password. |
|
The url to the LDAP server. |
|
This property can be used to specify the LDAP user bind string for group resolution. |
|
Password used to connect to LDAP server. |
|
Which subtree of the LDAP hierarchy to query. |
|
Filter used to find group objects. |
|
Attribute of a group object containing it’s members. |
|
Attribute of a group object containing it’s name. |
|
How many levels of the group hierarchy to traverse. |
|
Attribute of a user object containing it’s group memberships. |
|
Filter used to find user objects. |
|
Timeout for directory search operations. |
|
Timeout for establishing an LDAP connection. |
|
Timeout for reading data from an LDAP connection. |
|
Duration of caching user group lookups. |
|
Duration of caching user not found results. |
|
A comma-separated list of Hadoop XML config files, useful if Hadoop was already configured to use LDAP groups. |
Based on the LDAP server implementation type, the properties can be set as described below.
Active Directory#
ldap.user=<service user>@<domain_name_of_the_server>
ldap.password=<sevice user password>
ldap.user.search-filter=(&(objectClass=<objectclass_of_user>)(sAMAccountName={0}))
Example:
ldap.user=admin@corp.example.com
ldap.password=password
ldap.user.search-filter=(&(objectClass=person)(sAMAccountName={0}))
OpenLDAP#
ldap.user=cn=<service user>,<distinguished_name_of_the_user>
ldap.password=<sevice user password>
ldap.user.search-filter=(&(objectClass=<objectclass_of_user>)(uid={0}))
Example:
ldap.user=cn=admin,OU=America,DC=corp,DC=example,DC=com
ldap.password=password
ldap.user.search-filter=(&(objectClass=inetOrgPerson)(uid={0}))
The LDAP group provider implementation first tries to use a memberOf user
attribute to get a set of groups, and if that attribute isn’t available,
traverses the hierarchy of group objects looking if the user is in each one of
them.
This means OpenLDAP query latency can be reduced by enabling the
memberOf overlay.
Active Directory servers typically have this attribute enabled.
Troubleshooting#
Consult the LDAP documentation for tips on troubleshooting.
