DocsHortonworks Data Platform

 

 3. Example Active Directory Configuration

Typically the AD main.ldapRealm.userDnTemplate value looks slightly different than OpenLDAP. The value for main.ldapRealm.userDnTemplate is only required if AD authentication requires the full User DN.

[Note]Note

If Active Directory allows authentication based on the Common Name (CN) and password only, then no value will be required for main.ldapRealm.userDnTemplate.

<provider>
   
<role>authentication</role>  
<name>ShiroProvider</name>  
<enabled>true</enabled>   

<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>

<param>
<name>main.ldapContextFactory</name>
value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
   
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>  
</param>   

<param>
<name>main.ldapRealm.contextFactory.url</name>  
<value>ldap://active-directory-server-ip:389</value>
</param>   

<param>  
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>  
</param>   

<param>  
<name>main.ldapRealm.userSearchAttributeName</name>
<value>sAMAccountName</value>  
</param>   

<param>  
<name>main.ldapRealm.authorizationEnabled</name>
<value>true</value>  
</param>   

<param>  
<name>main.ldapRealm.contextFactory.systemUsername</name>
<value>distinguishedName of LDAP service account</value>  
</param>   

<param>
<name>main.ldapRealm.contextFactory.systemPassword</name>  
<value>hadoop</value>  
</param>   

<param>
<name>main.ldapRealm.contextFactory.systemAuthenticationMechanism</name>  
<value>simple</value>
</param>   

<param>
<name>main.ldapRealm.userObjectClass</name>  
<value>person</value>  
</param>   

<param>
<name>main.ldapRealm.searchBase</name>  
<value>Place In AD Tree to Begin Search – e.g. dc=hadoop,dc=apache,dc=org</value>  
</param>   

<param>  
<name>main.ldapRealm.groupObjectClass</name>
<value>group</value>  
</param>   

<param>  
<name>main.ldapRealm.memberAttribute</name>  
<value>memberOf</value>
</param>   

<param>  
<name>main.ldapRealm.memberAttributeValueTemplate</name>  
<value>uid={0}</value>  
</param>

<param>
<name>main.ldapRealm.groupIdAttribute</name>  
<value>cn</value>  
</param>   

<param>
<name>urls./**</name>  
<value>authcBasic</value>  
</param>   

<param>  
<name>sessionTimeout</name>  
<value>30</value>
</param>   

</provider>

Legal notices
loading table of contents...