If you use LDAP to authenticate users, you can retrieve user account information from your LDAP database and import it directly into Hue's User Admin directory. This way, you do not have to use the Hue interface to create user accounts for each Hue user individually.

Once you import users, you can also use LDAP with Hue to authenticate users with their LDAP credentials. Each of these tasks is explained in the following sections:

Setting up Users from an LDAP Database

This diagram shows how the LDAP client embedded in Hue searches the LDAP server's database for user names, and then adds them to the User Admin directory for Hue.


The following table shows the parameters you need to set in the ldap section of the hue.ini file so you can import users.

The hue.ini file is located at /opt/mapr/hue/hue-<version>/desktop/conf/.

ParameterDescriptionComments
ldap_url The URL of your LDAP server. 
base_dnTop of the search tree, which defines the search scope. 
bind_dnDistinguished name (DN) of the user to bind as.Can be omitted for anonymous searches.
bind_passwordPassword of the bind user.Can be omitted for anonymous searches.
user_filterLimits the scope of the search by applying a filter.This parameter is optional.
user_name_attrThe attribute used for username in the LDAP schema.Examples: cn (for common name) or uid (for user ID).

To set up Hue users by importing information from an LDAP database:

  1. Establish communication with the LDAP server by setting the ldap_url parameter in the ldap section of the hue.ini file. 

        # URL of the LDAP server
        ##ldap_url=ldap://localhost

    Uncomment the line and change the value from the default (ldap://localhost) to the URL for your LDAP server.

  2. Provide the base_dn information to define the search scope. Uncomment the line where base_dn is defined and replace with your base_dn.

        # The search base for finding users and groups
        ## base_dn="DC=mycompany,DC=com"
  3. If your LDAP server does not support anonymous searches, you need to provide the bind_dn and bind_password. Uncomment the lines with these parameters and change the values to your bind_dn and your bind_password.

        # Distinguished name of the user to bind as -- not necessary if the LDAP server
        # supports anonymous searches
        ## bind_dn="CN=ServiceAccount,DC=mycompany,DC=com"
    
        # Password of the bind user -- not necessary if the LDAP server supports
        # anonymous searches
        ## bind_password=
  4. If you want to narrow the scope of the directory search, specify a user_filter in the users section under the ldap section of the hue.ini file. This is optional.

    [[[users]]]
    
          # Base filter for searching for users
          ## user_filter="objectclass=*"
  5. Set the user_name_attr parameter in the users section under the ldap section of the hue.ini file.

        [[[users]]]
    
          # The username attribute in the LDAP schema
          ## user_name_attr=sAMAccountName


    If your LDAP directory schema does not use the attribute sAMAccountName for the username, uncomment the line and change the value of the user_name_attr to the attribute you use. For example, if the directory schema uses the uid attribute, change the value of the parameter as shown:

    user_name_attr=uid
  6. Restart httpfs so ldap settings will take effect.

  7. Restart Hue once all configuration changes have been made so the changes will take effect.

Authenticating Hue Users with LDAP Credentials

This section explains how to edit the ldap section of the hue.ini file to enable Hue user authentication with LDAP credentials. These instructions assume you have completed the steps in Setting up Users from an LDAP Database.

If you switch to authentication through LDAP credentials, the Hue User Admin users will lose superuser privileges unless you take one of the following actions:

  • Import one or more superuser accounts from LDAP and assign them superuser permission.
  • If you have already enabled the LDAP authentication back end, log into Hue using the LDAP back end, which will create an LDAP user. Next, disable the LDAP authentication back end and use User Admin to give the superuser permission to the new LDAP user.

Before you edit the parameters in the hue.ini file, determine whether your LDAP server allows anonymous searches. 

  • If anonymous searches are allowed, use the direct bind method.
  • If anonymous searches are not allowed, use bind credentials (also known as search and bind).

The following flow chart shows which parameters you must specify for each of these authentication methods:

These are the parameters you need to set in the ldap section of the hue.ini file so you can authenticate Hue users with LDAP credentials:

ParameterDescriptionComments
search_bind_authenticationDetermines which authentication method to use: search and bind, or direct bind.

When set to true, Hue performs an LDAP search using bind_dn and bind_password as provided in hue.ini. The search can be further limited by the search filter user_filter.

When set to false, Hue performs a direct bind to LDAP using the credentials provided from one of these sources:

  • the UPN, formed by concatenating <shortname> (the user name provided on the Hue login page) and nt_domain (if nt_domain is specified)
  • the ldap_username_pattern (if nt_domain is not specified)
nt_domain

The NT domain to connect to.

This parameter is only used with Active Directory.

Used with the direct bind method of authentication.

If nt_domain is specified, then ldap_username_pattern is ignored.

ldap_username_patternUsed to connect to directory services other than Active Directory.

Used with the direct bind method of authentication.

Usually takes the form "cn=<username>,dc=example,dc=com"

backendThe backend to use for authenticating users.Needs to be set to desktop.auth.backend.LdapBackend for Hue authentication.

Using Bind Credentials (Search and Bind)

To use the search and bind method for LDAP authentication, edit these parameters in the ldap section of the hue.ini file:

  1. Set search_bind_authentication=true.

  2. In the Authentication backend section, add the following line after the ##backend= statement:

    backend=desktop.auth.backend.LdapBackend

    Hue searches base_dn for an entry with user_name_attr that contains the user name provided on the Hue login page.

  3. Restart httpfs so ldap settings will take effect.

  4. Restart Hue once all configuration changes have been made so the changes will take effect.

Using Direct Bind

To use the direct bind method for LDAP authentication, edit these parameters in the ldap section of the hue.ini file:

  1. Set search_bind_authentication=false.

  2. If you are using the Active Directory directory service, uncomment the line with the nt_domain parameter. Change the value from nt_domain=mycompany.com to the NT domain you want to connect to.

  3. If you are using any other directory service, uncomment the line with ldap_username_pattern and specify the format, such as the one shown here:

    ldap_username_pattern="cn=<username>,dc=example,dc=com"

    Note that <username> will be replaced by the information provided on the Hue login page.

  4. Restart httpfs so ldap settings will take effect.
  5. Restart Hue once all configuration changes have been made so the changes will take effect.