Shulou(Shulou.com)06/01 Report--

How to configure identity authentication using LDAP-compliant identity services, I believe many inexperienced people are helpless about this, this article summarizes the causes and solutions of the problem, through this article I hope you can solve this problem.

How to configure authentication using LDAP in Cloudera Manager. Configuring authentication using LDAP in Cloudera Manager

LDAP-compatible identity/directory services such as OpenLDAP provide different options to enable Cloudera Manager to look up user accounts and groups in directories:

·Use a single distinguished name (DN) as a base and provide a pattern (distinguished name pattern) to match user names in the catalog, or·Search filter options allow you to search for specific users based on broader search criteria-for example, Cloudera Manager users can be members of different groups or organizational units (OUs), so a single pattern cannot find all of them. The search filter option also enables you to find all groups to which a user belongs to help determine whether the user should have login or administrator access.

1)Log in to the Cloudera Manager administration console.

2)Select Manage> Settings.

3)Select External Authentication for the category filter to display settings.

4)For Authentication Backend Order, select the order Cloudera Manager should attempt to find authentication credentials for logins.

5)For External Authentication Type, select LDAP.

6)In the LDAP URL attribute, provide the URL of the LDAP server and (optionally) the base proper name (DN)(search base) as part of the URL (for example) ldap://ldap-server.corp.com/dc=corp,dc=com.

7)If your server does not allow anonymous binding, provide the user DN and password used to bind to the directory. These are LDAP binding user proper name and LDAP binding password attributes. By default, Cloudera Manager assumes anonymous binding.

8)Search for users and groups using one of the following methods:

·You can search using the User or Group search filters, LDAP User Search Base, LDAP User Search Filter, LDAP Group Search Base and LDAP Group Search Filter settings. These allow you to combine base DNs with search filters to allow for a wider range of search targets.

For example, if you want to authenticate a user who may belong to one of several OUs, the search filter mechanism will allow you to do so. You can specify dc=corp,dc=com as the user search base DN and uid={0} as the user search filter. Cloudera Manager will then search for users anywhere in the tree starting with the base DN. Suppose you have two OUs- ou=Engineering and ou=Operations-Cloudera Manager will find out if user "foo" exists in these OUs and if so uid=foo,ou=Engineering,dc=corp,dc=com or uid=foo,ou=Operations,dc=corp,dc=com. You can use user search filters with DN patterns so that search filters can provide backup if DN pattern searches fail. The Groups filter enables you to search to determine whether a DN or user name is a member of a target group. In this case, the filter you provide might look like where member={0} replaces the DN of the user to be authenticated with {0}. For filters that require a user name, you can use {1}, i.e. memberUid={1}, which returns a list of groups to which the user belongs, which is compared to the list in the group properties in question.

·Alternatively, specify a basic distinguished name (DN) and then provide the Distinguished Name Pattern in the LDAP Distinguished Name Pattern attribute.

Use {0} in patterns to indicate where the username should go. For example, to search for a uid attribute that is a proper name for a username, you can provide a pattern like uid={0},ou=People,dc=corp,dc=com. Cloudera Manager replaces the name provided at login with that pattern and searches for that particular user. Therefore, if a user provides the username " foo" on the Cloudera Manager login page, Cloudera Manager searches for DN uid=foo,ou=People,dc=corp,dc=com. If you provide a base DN and URL, the pattern only needs to specify the rest of the DN pattern. For example, if you provide the URL ldap://ldap-server.corp.com/dc = corp,dc=com and the pattern uid={0},ou=People, the search DN would be uid=foo,ou=People,dc=corp,dc=com.

9)Restart Cloudera Manager Server.

Configure Cloudera Manager to use LDAPS If the LDAP server certificate is signed by a trusted certification authority, steps 1 and 2 below may not be required.

1)Copy the CA certificate file to the Cloudera Manager Server host. 2)Import CA certificate from CA certificate file to local truststore. The default truststore is located in the file $JAVA_HOME/jre/lib/security/cacerts. This contains the default CA information that ships with JDK. Create an alternate default file, jssecacerts, in the same location as the cacerts file. You can now securely attach CA certificates to any private or public CA that does not exist in the default cacerts file, while leaving the original file intact. For our example, we will follow the following recommendation: copy the default cacerts file into the new jssecacerts file, and then import the CA certificate into this alternate truststore. cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts$ /usr/java/latest/bin/keytool -import -alias nt_domain_name-keystore /usr/java/latest/jre/lib/security/jssecacerts -file path_to_CA_cert

Note that the default password stored by Cacerts is changeit. The-alias is not always required for domain names. Alternatively, you can use Java options: javax. net.ssl.trustStore and javax. net.ssl.trustStorePassword. Open the/etc/default/cloudera-scm-server file and add the following options: export CMF_JAVA_OPTS="-Xmx2G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Djavax.net. ssl.trustStore=/usr/java/default/jre/lib/security/jssecacerts -Djavax.net. ssl.trustStorePassword=changeit"3) Configure the LDAP URL attribute instead of ldaps:// ldap_serverldap:// ldap_server4) Restart Cloudera Manager Server. After reading the above, do you know how to configure authentication using LDAP-compliant identity services? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.