Using LDAP

Prior to deploying the Dremio cluster, LDAP integration must be configured in the dremio.conf and LDAP configuration files. Once in LDAP mode, Dremio uses the users and groups defined in LDAP. In this mode, administrators cannot create additional users within Dremio.

Once the cluster is configured and deployed in LDAP mode, the first user to login with valid LDAP credentials is marked as the Admin. At this point, other groups/users can be assigned as administrators.

[info] Important

The LDAP configuration in the dremio.conf and ad.json files must exist and match on all coordinator nodes.

Configuring LDAP in Dremio

To configure LDAP in Dremio, edit the dremio.conf file, and add the following properties:

services: {
  coordinator.enabled: true,
  coordinator.web.auth.type: "ldap",
  coordinator.web.auth.ldap_config: "ad.json"
}

Configuring Active Directory (AD)

To configure the AD, edit the ad.json file. This file located under the Dremio configuration directory (same as dremio.conf path) and is specified in the dremio.conf file as a coordinator service.

Several options need to be configured in a json file (ad.json in the above example)

Required Properties

  • bindDN and bindPassword Credentials for user who connects from the Dremio LDAP client to the LDAP server.
  • baseDN The root path for all searches. If userAttributes.baseDNs or groupAttributes.baseDNs are specified, they override baseDN for search purposes.
  • userFilter LDAP filter for validating users. Only users who fit the criteria set here will be allowed to authenticate.
  • groupFilter LDAP filter for groups.
  • groupMembership Attribute of a user or a group that tells what groups they belong to.
  • groupRecursive Attribute of a user or a group that lists transitive group membership. For example, if Dan is part of the BI group. And the BI group is part of the engineering group, groupMembership attribute will contain only BI group but the groupRecursive attribute will contain engineering.

User Attribute-based Properties

Specify a list of baseDNs and id -- the login attribute name (e.g. sAMAccountName) properties in the ad.json file.

[info] These attribute-based properties are recommended.

A mapping of LDAP user attributes to Dremio user attributes should include baseDNs, searchScope, id, firstname, lastname, and email.

  • baseDNs All the baseDNs Dremio will search for users under.
  • id Attribute for the login name. Defaults to sAMAccountName.
  • searchScope Scope of user searches:
  • SUB_TREE Searches subtrees below the specified baseDNs (default).
  • ONE Searches immediate children below the specified baseDNs.
  • BASE Match the exact entry.
  • firstname Attribute for first name.
  • lastname Attribute for last name.
  • email Attribute for email address.

[info] In the attribute-based approach userDNs field must not be specified.

Example

"userAttributes": {
    "baseDNs": [
        "OU=test,OU=ad,DC=drem,DC=io"
    ],
    "searchScope": "SUB_TREE",
    "id": "sAMAccountName",
    "firstname": "givenName",
    "lastname": "sn",
    "email": "mail"
}

User DN-based Properties

To specify a list of templates for user DNs, use the following properties:

  • userDNs List of templates for user DNs.
  • userAttributes A mapping of LDAP user attributes to Dremio user attributes. This should include firstname, lastname and email:
    • firstname Attribute for first name.
    • lastname Attribute for last name.
    • email Attribute for email address.

[info] In the DN-based approach, the baseDNs, searchScope, id properties cannot be specified under userAttributes.

Example
In the following example, The placeholder {0} is replaced with the username entered by the user and that DN is used during LDAP bind. Dremio attempts binding to the provided userDNs in the order they are specified.

"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
    "firstname": "givenName",
    "lastname": "sn",
    "email": "mail"
}

To specify a list of templates for group DNs, add the following properties:

  • groupDNs List of templates for group DNs.

[info] In the DN-based approach, the groupAttributes property must not be specified.

Example

"groupDNs": ["cn={0},OU=engg,OU=test,OU=ad,DC=drem,DC=io"]

The placeholder {0} is replaced with the group name entered by the user. Dremio attempts searching given groupDNs in the order they are specified.

Group Attribute-based Properties

To use group attributes, specify a list of baseDNs and group name IDs.

These properties map LDAP group attributes to Dremio group attributes. The baseDNs, searchScope, id properties should be included.

  • baseDNs All the baseDNs under which Dremio searches for groups.
  • id Attribute for group names. Default: CN.
  • searchScope Scope of user searches:
  • SUB_TREE Searches subtrees below the specified baseDNs (default).
  • ONE Searches immediate children below the specified baseDNs.
  • BASE Match the exact entry.

[info] In the attribute-based approach, groupDNs field must not be specified.

Example

"groupAttributes" : {
    "baseDNs": ["dc=roles,dc=dremio,dc=com"],
    "searchScope": "SUB_TREE",
    "id": "CN"
 }

Limiting Access

Access can be limited by setting the userFilter property.

Example

The following example limits access to members of the engineering group.

userFilter: "&(objectClass=user)(memberOf=cn=engineering,OU=Groups,OU=ad,DC=ad,DC=drem,DC=io)",

Granting Admin Privileges at Configuration Time

By default, the first valid LDAP user to log in to Dremio is given the Admin role. Alternatively, you can specify an initial list of users and/or groups to be given the Admin role before starting Dremio. In both cases, additional users/groups can be given the Admin role via the Dremio UI.

To specify users/groups as administrators up-front:

  1. In the ad.json file, set autoAdminFirstUser to false.

     autoAdminFirstUser : false
    
  2. Create a file called bootstrap-admin-users.json under the Dremio configuration directory and add
    users and groups property information. For example:

     {
     users: ["joe", "bob"]
     groups: ["marketers", "sales wizards"]
     }
    

    [info]

    On an Active Directory (AD) authenticated Dremio cluster, users are not promoted to administrators when you specify that user in the bootstrap-admin-users.json file.
    This functionality is working as designed: it is for boot-strapping only. Any an administrator can later add additional Admins/Groups; this is done through the Dremio user interface.

Securing the LDAP Connection

To secure the LDAP connection, specify one of the following connection modes in the LDAP configuration file under connectionMode:

  • PLAIN - Dremio uses an unencrypted connection.
  • ANY_SSL - Dremio's LDAP client trusts any certificate presented by the LDAP server.
  • TRUSTED_SSL - Dremio's LDAP client will trust certificates signed by a Certificate Authority;
    no extra configuration is required. If the LDAP server has a self-signed certificate, a trustStore with the public certificate needs to be passed in as a JVM argument.

Example: PLAIN mode

"connectionMode": "PLAIN",

Example: TRUSTED_SSL mode

// ad.json entry for TRUSTED_SSL mode
"connectionMode": "TRUSTED_SSL",


// dremio.conf entry for TRUSTED_SSL mode with a self-signed certificate**
javax.net.ssl {
    trustStore: "<path/to/truststore/jks/file>",
    trustStorePassword: "trustStorePassword"
    }

Sample Microsoft AD Configuration

{
    "connectionMode": "PLAIN",
    "servers": [
        {
            "hostname": "<LDAP_HOST>",
            "port": 389
        }
    ],
    "names": {
        "bindDN": "CN=Admin,OU=Users,OU=ad,DC=drem,DC=io",
        "bindPassword": "password",
        "baseDN": "dc=dremio,dc=io",
        "userFilter": "&(objectClass=user)(|(memberOf=CN=QA,OU=temps,OU=test,OU=ad,DC=drem,DC=io)(memberOf=CN=qa,OU=engg,OU=test,OU=ad,DC=drem,DC=io))",
        "userAttributes": {
            "baseDNs": [
                "OU=test,OU=ad,DC=drem,DC=io"
            ],
            "searchScope": "SUB_TREE",
            "id": "sAMAccountName",
            "firstname": "givenName",
            "lastname": "sn",
            "email": "mail"
        },
        "groupMembership": "memberOf",
        "groupRecursive": "transitive-memberOf",
        "groupDNs": ["cn={0},OU=engg,OU=test,OU=ad,DC=drem,DC=io"],
        "groupFilter": "(objectClass=group)",
        "autoAdminFirstUser": true
    }
}

results matching ""

    No results matching ""