LDAP group provider#

SEP can be configured to map user names to groups using an LDAP server.

Configuration#

To enable LDAP group mapping for SEP, configuration changes are made on the coordinator. No changes are required to the worker configuration.

Environment configuration#

The LDAP server should use SSL, for details on how to set it up see the LDAP documentation.

LDAP group provider configuration#

Use the LDAP group provider to store and fetch user group memberships for SEP. This lets you assign BIAC roles to groups.

Note

The ldap.group-auth-pattern property differs from the LDAP group provider in that ldap.group-auth-pattern is used exclusively during login. For more information, see LDAP authentication.

Group provider needs to be configured to use LDAP. Create an etc/group-provider.properties file on the coordinator. Example:

group-provider.name=ldap
ldap.ssl=true
ldap.ssl.keystore.path=PATH_TO_KEYSTORE
ldap.ssl.keystore.password-file=KEYSTORE_PASSWORD_FILE
ldap.url=ldaps://ldap-server:636
ldap.user=cn=admin,dc=presto,dc=testldap,dc=com
ldap.password=admin
ldap.search-base=dc=presto,dc=testldap,dc=com
ldap.group.search-filter=(objectClass=groupOfNames)
ldap.group.member-attribute=member
ldap.group.name-attribute=cn
ldap.user.member-of-attribute=memberOf
ldap.user.search-filter=(&(objectClass=inetOrgPerson)(uid={0}))
ldap.cache.ttl=10s

Property name

Description

ldap.ssl

Enable TLS/SSL encryption for the connection to the LDAP server. The certificate of the LDAP server needs to be a globally trusted certificate, and therefore accepted by the JVM running SEP or added to the JVM truststore in the cacerts file.

ldap.ssl.keystore.path

Path to the keystore with the SSL certificate.

ldap.ssl.keystore.password

Keystore password.

ldap.ssl.keystore.password-file

Path to the file containing the keystore password.

ldap.url

The URL to the LDAP server.

ldap.user

This property can be used to specify the LDAP user bind string for group resolution.

ldap.password

Password used to connect to LDAP server.

ldap.search-base

Which subtree of the LDAP hierarchy to query. Users often set ldap.search-base to the same value as ldap.user-base-dn to ensure consistency, as both user and group searches use the same base distinguished name. For more information, see LDAP authentication.

ldap.group.search-filter

Filter used to find group objects.

ldap.group.member-attribute

Attribute of a group object containing it’s members.

ldap.group.name-attribute

Attribute of a group object containing it’s name.

ldap.group.hierarchy-level

How many levels of the group hierarchy to traverse.

ldap.user.member-of-attribute

Attribute of a user object containing it’s group memberships. If set, the group names are resolved from the attribute of the user object. No LDAP group search is performed and ldap.group.search-filter is ignored.

ldap.user.search-filter

Filter used to find user objects.

ldap.timeout.directory-search

Timeout for directory search operations.

ldap.timeout.connection

Timeout for establishing an LDAP connection.

ldap.timeout.read

Timeout for reading data from an LDAP connection.

ldap.cache.enabled

Enables caching of user group lookups. Defaults to true.

ldap.cache.ttl

Duration of caching user group lookups.

ldap.cache.maximum-size

Maximum number of entries in the per-user group cache.

ldap.config.resources

A comma-separated list of Hadoop XML config files, useful if Hadoop was already configured to use LDAP groups.

Based on the LDAP server implementation type, the properties can be set as described below.

Active Directory#

ldap.user=<service user>@<domain_name_of_the_server>
ldap.password=<sevice user password>
ldap.user.search-filter=(&(objectClass=<objectclass_of_user>)(sAMAccountName={0}))

Example:

ldap.user=admin@corp.example.com
ldap.password=password
ldap.user.search-filter=(&(objectClass=person)(sAMAccountName={0}))

OpenLDAP#

ldap.user=cn=<service user>,<distinguished_name_of_the_user>
ldap.password=<sevice user password>
ldap.user.search-filter=(&(objectClass=<objectclass_of_user>)(uid={0}))

Example:

ldap.user=cn=admin,OU=America,DC=corp,DC=example,DC=com
ldap.password=password
ldap.user.search-filter=(&(objectClass=inetOrgPerson)(uid={0}))

The LDAP group provider implementation first tries to use the user object attribute provided by ldap.user.member-of-attribute. Typically it’s value is memberOf. It’s used to resolve group names from the attribute directly. No LDAP search for groups is performed. As a result ldap.group.search-filter is ignored.

If ldap.user.member-of-attribute isn’t configured, the provider performs an LDAP Search to find groups, which the user is member of, by applying ldap.group.search-filter. For each found group, the system traverses up in the group objects hierarchy and include the parent group names to the returned set. Traversing is performed up to number of levels configured by ldap.group.hierarchy-level.

This means OpenLDAP query latency can be reduced by enabling the ldap.user.member-of-attribute overlay to avoid the additional group search. However you can’t set ldap.group.search-filter. Active Directory servers typically have this attribute enabled.

Troubleshooting#

Consult the LDAP documentation for tips on troubleshooting.