/
Active Directory and LDAP

Active Directory and LDAP

Mar 04, 2025

INFO

The LDAP and Active Directory authenticators available in Datameer X provide remote authentication services for Datameer X users. Administrators can configure Datameer X to use their existing LDAP or Active Directory systems as the authenticator of record allowing for centralized management of user accounts and credentials outside of Datameer X. Users can authenticate with Datameer X using existing credentials which are verified against the remote system on every login. If the remote system no longer sanctions the user, access to Datameer X is denied. This simplifies Datameer X administration and allows end-users to use familiar single sign-on credentials when accessing Datameer.

TIP

For accessing your LDAP service over SSL, see Configuring Secure LDAP (LDAPS).

Users and Groups

Users

INFO

When using the LDAP Authenticator, credentials are authenticated at the time of login directly against the remote service. In order for Datameer X to manage authorization and object permissions, a Datameer X user entity is required to represent the remote user. It useful to think of users being imported into Datameer X from LDAP with the remote server always ensuring that users have valid, active credentials.

When a user is imported into Datameer X, a user entity is created using the remote unique identifier as the Datameer X username and populated with other account details, i.e. the email address.

INFO

If authenticating with Active Directory or LDAP, users executing jobs must be listed in the authenticator. For added security, executing jobs as a users not present in the authenticator is not possible.

Groups

INFO

During import, Datameer X creates groups, based on the groups contained in the LDAP directory. This allows the use of existing LDAP groups for Datameer X access control as the group memberships are mirrored across systems. The users' group memberships and user details are updated on every login to ensure that any changes to authorization policies in LDAP are reflected in every Datameer X session. Since we rely on LDAP groups when the LDAP Authenticator is in use, there is no facility to create groups within Datameer. Datameer X can handle at maximum 500 LDAP groups.

Transforming user names into lowercase characters

Many times an all lowercase username is required for proper Unix group authentication. Instead of needing to change all user names to lowercase characters, Datameer X has the following property file to transform a username into all lowercase before passing it to the hadoop client API(s) to account for this issue:

hadoop.security.auth_to_local=RULE:[1:$1@$0](.*@EC2.INTERNAL)s/(.*)@EC2.INTERNAL/$1/L RULE:[2:$1@$0](.*@EC2.INTERNAL)s/(.*)@EC2.INTERNAL/$1/L DEFAULT

To enable this feature, add the above property file to the custom Hadoop properties.

Apache hadoop.security.auth_to_local documentation. 

Preparing the Authentication

Warning

Make sure you have the superuser mode enabled in the 'live.properties' and have the password handy when configuring the authentication. For that, check if the deployment property 'das.superuser.enabled' is true and have the values for 'das.superuser.username' and 'das.superuser.password' handy.

NOTE: If you are using a custom deploy mode via 'DAS_DEPLOY_MODE' then use the properties file for that mode, live.properties is the default).

# You can set a super user account here that has the ADMIN role. This can be used to login even if # the external authentication service doesn't work das.superuser.enabled=true das.superuser.username=superuser das.superuser.password=password

Configuring an Active Directory and LDAP Authentication

To configure Datameer X to use your LDAP or Active Directory service:

  1. Click on the "Admin" tab and select "Authentication"The page 'Authentication' opens.

     

  2. Click "Edit"The authentication configuration page opens.

     

  3. Select "Remote Authentication System", select "ActiveDirectory/ LDAP" from the drop-down and click "Next".

     

  4. Enter the username and password for the default user.

     

  5. Enter the server URL. 
    INFO: The URL should have the form of 'ldap://server:port'. The port numbers are: LDAP/S - 389/636 or Active Directory - 3268.

     

  6. If needed, select "Use default user" if the server connection should use the default user to connect.

     

  7. If needed, enter the username and password.

     

  8. Enter the search base query.

     

  9. Enter the user definition query.

     

  10. If needed, enter the group definition query.

     

  11. If needed, define the pagination control.

     

  12. If you want to add multiple LDAP server, click "Add server connection"Another 'Server Connection' section opens and can be configured and deleted if non needed furthermore.

     

  13. Enter the username attribute that defines a username and must be unique across all users.

     

  14. Enter the email attribute.

     

  15. If needed, enter the attributes for impersonation and/ or salt.

     

  16. Enter the attribute for group names.

     

  17. If needed, enter further group related attributes as well as group relates fields, e.g. 'Virtual Group'.
    INFO: The checkbox 'Mixed mode' is enabled by default and enables both internal user management as well as SAML. Having this disabled, the internal user management is disabled.

     

  18. If needed, enter group filters to include or exclude groups with regex. 

     

  19. If needed, check the checkbox "Ignore Case" to perform a case sensitive match when filtering group names. 

     

  20. Confirm the configuration with "Save"Configuring Datameer X to use LDAP or Active Directory authentication is finished.