Header Shadow Image

Configure Cloudera HUE with FreeIPA

Configuring HUE with LDAP / FreeIPA:

[root@idmipa03 ~]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=compat,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "dc=mws,dc=mds,dc=xyz" -v "(&(objectClass=posixAccount)(uid=*))"  |grep dn:
ldap_initialize( ldaps://idmipa03.mws.mds.xyz:636/??base )
filter: (&(objectClass=posixAccount)(uid=*))
requesting: All userApplication attributes
dn: uid=cmadmin-530029b6,cn=users,cn=compat,dc=mws,dc=mds,dc=xyz
dn: uid=admin,cn=users,cn=compat,dc=mws,dc=mds,dc=xyz
dn: uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz
dn: uid=cmadmin-530029b6,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz
[root@idmipa03 ~]#

Ensure the following settings:

Authentication Backend ( backend ) : desktop.authentication.backend.LdapBackend
PAM Backend Service Name ( pam_service) : login
LDAP URL  ( ldap_url ) : ldaps://idmipa03.mws.mds.xyz:636
LDAP Server CA Certificate ( ldap_cert ) : /etc/ipa/ca.crt
Enable LDAP TLS ( use_start_tls ) : <CHECKED>
Use Search Bind Authentication (search_bind_authentication) : <CHECKED>
Create LDAP users on login ( create_users_on_login ) : <CHECKED>
LDAP Search Base ( base_dn ) : cn=compat,dc=mws,dc=mds,dc=xyz
LDAP Bind User Distinguished Name ( bind_dn ) : uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz
LDAP Bind Password ( bind_password ) : <SECRET>
LDAP User Filter ( user_filter ) : (objectClass=posixAccount)
LDAP Username Attribute ( user_name_attr ) : uid
LDAP Group Filter ( group_filter ) : (objectClass=posixGroup)
LDAP Group Name Attribute ( group_name_attr ) : cn

Test the configuration ( Hue – Actions – Test LDAP Configuration ):

Test LDAP Configuration
Status  Finished  Context 
  Sep 2, 7:09:09 PM  35.8s 
Hue's LDAP configuration is valid.
Completed 1 of 1 step(s).
  Show All Steps    Show Only Failed Steps    Show Only Running Steps
Testing the Hue LDAP configuration.        
Hue Server (cm-r01en01)
Sep 2, 7:09:09 PM    35.8s


You may receive this error:

[root@cm-r01en01 hue-httpd]# ldapsearch -Y GSSAPI -w "<SECRET>" -H 'ldaps://idmipa-c01.mws.mds.xyz:636' -b 'dc=mws,dc=mds,dc=xyz' -D 'uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz' '(&(objectClass=posixAccount)(uid=tom))' -d1 |grep dn:
TLS: hostname (idmipa-c01.mws.mds.xyz) does not match common name in certificate (idmipa04.mws.mds.xyz).

This means you'll need a SAN certificate with 1) VIP, 2) idmipa03 and 3) idmipa04 listed as valid hostnames.  Otherwise, use the single IPA server node.

To find users in AD DC ( Active Directory / Domain Controllers ) use the explicit format:

[root@cm-r01en01 cloudera-scm-agent]# LDAPTLS_CACERT=/etc/ipa/ca.crt   ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "dc=mws,dc=mds,dc=xyz" "(uid=tom@mds.xyz)" -v|grep dn:

As per RFC 2307 . 

While configuring, we into the following:

[02/Sep/2019 20:05:57 +0000] backend      WARNING  Cannot configure LDAP with SSL and enable STARTTLS.
[02/Sep/2019 20:05:58 +0000] config       ERROR    search_s('dc=mws,dc=mds,dc=xyz', 2, '(&(uid=tom@mds.xyz)(*))') raised FILTER_ERROR({'desc': 'Bad search filter'},)
[02/Sep/2019 20:05:58 +0000] config       DEBUG    search_s('dc=mws,dc=mds,dc=xyz', 2, '(&(uid=%(user)s)(*))') returned 0 objects:
[02/Sep/2019 20:05:58 +0000] backend      DEBUG    Authentication failed for tom@mds.xyz: failed to map the username to a DN.
[02/Sep/2019 20:05:59 +0000] access       WARNING -anon- – "POST /hue/accounts/login HTTP/1.1" (mem: 132mb)– Failed login for user: tom@mds.xyz

Debugging a little further reveals:

[root@cm-r01en01 logs]# LDAPTLS_CACERT=/etc/ipa/ca.crt   ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "cn=compat,dc=mws,dc=mds,dc=xyz" "(uid=tom@mds.xyz))" -v|grep dn:
ldap_initialize( ldaps://idmipa03.mws.mds.xyz:636/??base )
SASL/GSSAPI authentication started
SASL username: hdfs/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ
SASL data security layer installed.
filter: (uid=tom@mds.xyz))
requesting: All userApplication attributes
ldap_search_ext: Bad search filter (-7)
[root@cm-r01en01 logs]#

With a few commands, we quickly figure out the correct mappings:

LDAPTLS_CACERT=/etc/ipa/ca.crt   ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "cn=compat,dc=mws,dc=mds,dc=xyz" "(&(uid=tom@mds.xyz)(objectClass=posixAccount))" -v

LDAPTLS_CACERT=/etc/ipa/ca.crt   ldapsearch -Y GSSAPI -H ldaps://idmipa03.mws.mds.xyz:636 -D "uid=admin,cn=users,cn=accounts,dc=mws,dc=mds,dc=xyz" -w "<SECRET>" -b "cn=compat,dc=mws,dc=mds,dc=xyz" "(&(cn=cdhadmins)(objectClass=posixGroup))" -v

And we are greeted with a successful login message:

[02/Sep/2019 20:34:19 +0000] middleware   DEBUG    {"username": "tom@mds.xyz", "impersonator": "hue", "eventTime": 1567481659975, "operationText": "Successful login for user: tom@mds.xyz", "service": "hue", "url": "/hue/accounts/login", "allowed": true, "operation": "USER_LOGIN", "ipAddress": ""}

using our AD DC user!  

Successful Hue IPA Integration


Leave a Reply

You must be logged in to post a comment.

  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License