Configure Hue with Multi-Authentication: LDAP & DjangoBackend and Sync LDAP user/group

Configure Hue with Multi-Authentication: LDAP & DjangoBackend and Sync LDAP user/group

Aloha, Hue administrators,

Hue supports multi-authentication since Hue 3.9, we can turn on Hue’s multi-authentication by updating Hue configurations through CM UI or hue.ini.

On any CM-managed cluster, go to hue’s configuration page and search for “safety”:

http://YourCluster.com:7180/cmf/services/10/config#filterfreeText=safety

Then update Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini as following:

[desktop]
[[auth]
backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend

Then configure Hue LDAP related configurations through CM UI: http://YourCluster.com:7180/cmf/services/10/config as following:

Here is a sample of the multi-authentication with ldap for /etc/hue/conf/hue.ini in case that you don’t have CM:

[desktop] 
[[auth] 
backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.AllowFirstUserDjangoBackend
[[ldap]]
ldap_url=ldap://ldapserver.ad.com:389
search_bind_authentication=true
create_users_on_login=true
base_dn="ou=Test,DC=ad,DC=com"
bind_dn="[email protected]"
bind_password_script={{CMF_CONF_DIR}}/altscript.sh sec-5-bind_password
#bind_password="YourBindPassword"
[[[users]]]
user_filter="objectclass=user"
user_name_attr="sAMAccountName"
[[[groups]]]
group_filter="objectclass=group"

Save Changes, re-deploy client configuration then restart Hue.

Now you should be able to log in hue as any LDAP user or Django backend user. If you are using Hue 3.12 or newer, you will find following UI with the extra drop down for “LDAP” or “Local”.

Once you login as superuser, you will be able to sync up LDAP users/groups through “Manager Users” page: https://YourHueHost.com:8889/hue/useradmin/users.

On “Users” tab, click on “Add/Sync LDAP user” button…

Then fill in LDAP user name either like “test*”

Click “Add/Sync user” button, all users starts with “test” will be synced.

You can also sync user with LDAP distinguished name like: “CN=atestë01,OU=huetest,OU=test,DC=ad,DC=com” with “Distinguished name” checked.

Similarly for LDAP group,  just navigate to “Groups” tab then click “Add/Sync LDAP group” button, then fill in following accordingly, then click “Add/Sync group”.

You can always use ldapsearch command on your host to verify if the user/group exists on your LDAP server.

ldapsearch -LLL -H ldap://ldapserver.ad.com:389 -D [email protected] -w yourbindPassword -b "cn=testuser,ou=test,DC=ad,DC=com"

ldapsearch -LLL -H ldap://ldapserver.ad.com:389 -D [email protected] -w yourbindPassword -b "cn=testgroup,ou=test,DC=ad,DC=com"

As always feel free to comment and send feedback on the hue-user list or @gethue!

2 Comments

  1. Agneesh Kumar Priyadarshi 2 months ago

    Hi

    I am using Hue 4.2 on EMR 5.17 but not able to configure LDAP on that.I am getting authentication error .It was working fine with Hue 4.1 on EMR 5.13. Can anyone please help

    • Author
      Hue Team 2 months ago

      Did you check on EMR forum?
      What is the error?

Leave a reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.