LDAP Enterprise
Configuring Dremio for LDAP
To configure Dremio for LDAP, perform the following steps:
-
Create a new
ad.json
file that contains your LDAP server configuration. See the LDAP Properties below for more information. -
Install the configuration:
- Kubernetes
- Standalone
-
Update the
coordinator.auth.type
configuration in yourvalues-overrides.yaml
with the valueldap
. See the configuration of Identity Providers. -
Optionally, to configure Dremio to use TLS when connecting to LDAP, perform the following steps:
-
Configure the LDAP
connectionMode
inad.json
for the required level of TLS functionality. See LDAP Connection Mode. -
To configure a truststore for the validation of TLS LDAP certificates, add the following to
New configuration for TLS to LDAPvalues-override.yaml
dremio:
advancedConfigs:
trustStore:
enabled: true
password: "changeit"
-
-
Perform a
helm install
with the following options:--set-file coordinator.web.auth.ssoFile=<your-local-path>/ad.json
option indicating the location of thead.json
. See Deploying Dremio to Kubernetes for additional information.--set-file dremio.configBinaries.trustStore=<path/to/truststore/jks/file/on/local/machine>
to use the local truststore file, if SSL is required.
-
Edit the
Example Dremio Service Configurationdremio.conf
file, and add the following properties:services: {
coordinator.enabled: true,
coordinator.web.auth.type: "ldap",
coordinator.web.auth.config: "ad.json"
} -
Optionally, to configure Dremio to use TLS when connecting to LDAP, perform the following steps:
-
Configure the LDAP
connectionMode
inad.json
for the required level of TLS functionality. See LDAP Connection Mode. -
To configure a truststore for the validation of LDAP TLS certificates, update
Example Truststore Configurationdremio.conf
withjavax.net.ssl
settings for the trustStore and trustStorePassword.javax.net.ssl {
trustStore: "<path/to/truststore/jks/file>",
trustStorePassword: "trustStorePassword"
}
-
-
Copy the modified
dremio.conf
andad.json
files to every coordinator node in the Dremio cluster. The location of thead.json
file is relative to the/conf
directory. The path to the file can be absolute; the file can live anywhere in the system.
LDAP Properties
The ad.json
file is a JSON-formatted config file that defines how Dremio connects to and communicates with your LDAP/AD server, including how it finds users, groups, and handles secure authentication.
{
"connectionMode": "PLAIN",
"servers": [
{
"hostname": "ldap.example.com",
"port": 389
}
],
"names": {
"bindDN": "CN=admin,DC=drem,DC=io",
"bindMethod": "UNAUTHENTICATED",
"bindPassword": "admin",
"baseDN": "dc=drem,dc=io",
"userFilter": "&(objectClass=posixAccount)",
"userAttributes": {
"baseDNs": [
"OU=Users,OU=ldaptest,DC=drem,DC=io",
],
"id": "uid",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
},
"userGroupRelationship": "GROUP_ENTRY_LISTS_USERS",
"groupEntryListsUsers": {
"userEntryUserIdAttribute": "uid",
"groupEntryUserIdAttribute": "memberUid"
},
"groupDNs": ["cn={0},OU=test,OU=ldaptest,DC=drem,DC=io",
"cn={0},OU=dev,OU=ldaptest,DC=drem,DC=io"],
"groupFilter": "|(objectClass=posixGroup)(objectClass=sub)",
"autoAdminFirstUser": false
}
}
LDAP Connection Mode
The connectionMode
property configures how Dremio establishes connections to the LDAP/Active Directory servers. The two main secure options — ANY_SSL and TRUSTED_SSL — both use SSL/TLS but differ in how SSL certificates are validated. The modes are:
PLAIN
: The connection between Dremio and the LDAP server is unencrypted. Dremio connects over port 389 by default, the standard LDAP port for unencrypted communication. This mode is appropriate for internal networks and isolated or trusted environments.ANY_SSL
: Encrypts the connection using SSL/TLS. This mode does not validate the LDAP server's SSL certificate, so it is useful for testing or internal environments where strict certificate checks are not required.TRUSTED_SSL
: This mode encrypts the connection using SSL/TLS and validates the LDAP server’s SSL certificate against the Java truststore. This mode requires additional configuration indremio.conf
with the location of the trust store and its password.
LDAP Server Configuration
The servers
section of an ad.json
file defines the LDAP servers that Dremio can use for authentication and directory lookups. Each server accepts the following properties:
hostname
: The Fully Qualified Domain Name or IP address of the LDAP server.port
: The port where the LDAP server accepts connections. Port 389 is the default LDAP when theconnectionMode
isPLAIN
; port 636 is the default port when using SSL/TLS.
LDAP User and Groups
The names
section maps LDAP attributes to Dremio’s internal user and group fields. LDAP names
are defined using the following properties:
Property | Required | Description |
---|---|---|
autoAdminFirstUser | No | The first valid LDAP user to log in to Dremio is given the Admin role by default. This behavior, defined by autoAdminFirstUser: true , is included in the ad.json file. Alternatively, you can specify a list of users and/or groups to be given the Admin role during initial login; it is used for bootstrapping only. See Admin Users for additional configuration information. |
baseDN | Yes | A base distinguished name is the search's root path. If userAttributes.baseDNs or groupAttributes.baseDNs are specified, they override baseDN for search purposes. |
bindDN | No | A bind distinguished name is a client's username to authenticate (bind) to the LDAP directory server. This property is not required when using a bindMethod of ANONYMOUS . In particular, CN=admin,DC=drem,DC=io must not be used. |
bindMethod | No | The authentication method:
|
bindPassword | No | Password credential for the user who connects from the Dremio LDAP client to the LDAP server. bindPassword can be encrypted using the dremio-admin encrypt CLI command. This property must not be present if you are using ANONYMOUS or UNAUTHENTICATED for bindMethod mode. See Bind Password Options for additional configuration information. |
email | No | Attribute for the email address. |
firstname | No | Attribute for the first name. |
groupAttributes | No | A mapping of LDAP group attributes to Dremio group attributes. The baseDN , searchScope , and id properties are used. |
groupDNs | No | A group distinguished name refers to the full path of a specific group object used for organizing users. |
groupFilter | Yes | LDAP filter for groups. |
groupMembership | No | Value returned by the Dremio memberOf() function. This attribute specifies the groups containing a user or a group. |
groupRecursive | No | Attribute of a user or a group that lists transitive group membership. |
id | No | If used with the userAttributes property, id is the attribute for the login name, defaulting to sAMAccountName . If used with the groupAttributes property, id is the attribute for the group name, defaulting to CN . |
lastname | No | Attribute for the last name. |
searchScope | No | Scope of user searches:
|
userAttributes | No | A mapping of LDAP user attributes to Dremio user attributes. This property should include firstname , lastname , and email . |
userDNs | No | A user distinguished name is the unique path that identifies a specific user object. |
userFilter | Yes | LDAP filter for validating users. Only users who fit the specific criteria are allowed to authenticate. |
userGroupRelationship | No | Determines whether you are implementing lists based on users or groups.
|
Defining Users
Using User Distinguished Names
This approach specifies a list of templates for userDN
. The placeholder {0}
is replaced with the username entered by the user, and that Distinguished Name (DN) is used during LDAP bind. In the specified order, Dremio attempts to bind to the provided userDN
. In the DN-based approach, the baseDN
, searchScope
, and id
properties cannot be specified under userAttributes
.
"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
Using User Attributes
In this approach, you map LDAP user attributes to Dremio user attributes. The userDN
field must not be specified in the attribute-based approach. Do not change the value of id
in the ad.conf
file after you start Dremio. Changing the value can result in the loss of user privileges.
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "SUB_TREE",
"id": "sAMAccountName",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
}
Using userFilter
The following example uses the userFilter
property to limit access to engineering group members.
"userFilter": "&(objectClass=user)(memberOf=cn=engineering,OU=Groups,OU=ad,DC=drem,DC=io)",
Defining Groups
Using Group Distinguished Names
This approach specifies a list of templates for group Distinguished Names (DNs). The placeholder {0}
is replaced with the group name entered by the user. Dremio attempts to search for the given groupDNs
in the specified order. The groupAttributes
property must not be specified in the DN-based approach.
"groupDNs": ["cn={0},OU=engg,OU=test,OU=ad,DC=drem,DC=io"]
Using Group Attributes
In this method, use the groupAttributes
property to specify a list of baseDNs
and group name IDs. These properties map LDAP group attributes to Dremio group attributes. The baseDNs
, searchScope
, and id
properties are required. The groupDNs
field must not be specified in the attribute-based approach.
"groupAttributes": {
"baseDNs": ["dc=roles,dc=dremio,dc=com"],
"searchScope": "SUB_TREE",
"id": "CN"
}
Defining User-Group Relationships
The relationship between users and groups can be defined with one of the following methods:
- Group memberships
- Group lists
Group Membership Method
The group membership method implements user entries in LDAP that list the groups to which the user belongs. The user entries in LDAP are configured to list their group membership via the internal field memberOf
.
For example,
- Dan is part of the BI group
- The BI group is part of the engineering group,
groupMembership
property will contain only the BI group, but thegroupRecursive
property will contain the engineering group.
"groupMembership": "memberOf",
"groupRecursive": "transitive-memberOf",
To establish this user-group relationship:
- Specify
groupMembership
property. - Specify (if applicable) the
groupRecursive
property.
If you include the groupRecursive
key, ensure the value is the correct property for recursive lookups for your LDAP implementation. If you do not specify the proper property, Dremio skips recursive lookup and finds only the group membership. If you omit the groupRecursive
key-value pair from your configuration, Dremio defaults to recursive lookup.
You can also specify the "userGroupRelationship": "USER_ENTRY_LISTS_GROUPS"
property-value. However, this property is optional since it is the default.
{
"connectionMode": "PLAIN",
"servers": [
{
"hostname": "<LDAP_HOST>",
"port": 389
}
],
"names": {
"bindDN": "CN=Admin,OU=Users,OU=ad,DC=drem,DC=io",
"bindPassword": "password",
"baseDN": "dc=dremio,dc=io",
"userFilter": "&(objectClass=user)(|(memberOf=CN=QA,OU=temps,OU=test,OU=ad,DC=drem,DC=io)(memberOf=CN=qa,OU=engg,OU=test,OU=ad,DC=drem,DC=io))",
"userAttributes": {
"baseDNs": [
"OU=test,OU=ad,DC=drem,DC=io"
],
"searchScope": "SUB_TREE",
"id": "sAMAccountName",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
},
"groupMembership": "memberOf",
"groupRecursive": "transitive-memberOf",
"groupDNs": ["cn={0},OU=engg,OU=test,OU=ad,DC=drem,DC=io"],
"groupFilter": "(objectClass=group)",
"autoAdminFirstUser": true
}
}
Group List Method
The group list method implements user-group relationships where the group entry lists the users that belong to that group.
For example,
uid
is the ID attribute used for the user entry, andmemberUid
is the ID attribute used for the group entry.- Dan's ID is 1234, represented by the attribute
uid
in Dan's LDAP records. - Dan is part of the BI group
- The LDAP entry for group BI lists
memberUid = 1234
, indicating that Dan is a valid group member.
"userGroupRelationship": "GROUP_ENTRY_LISTS_USERS",
"groupEntryListsUsers": {
"userEntryUserIdAttribute": "uid",
"groupEntryUserIdAttribute": "memberUid"
}
To establish user-group relationships in ad.json
using the group list method:
- Set
userGroupRelationship
toGROUP_ENTRY_LISTS_USERS
. - Specify the
groupEntryListsUsers
property and its sub-properties,userEntryUserIdAttribute
andgroupEntryUserIdAttribute
.
{
"connectionMode": "PLAIN",
"servers": [
{
"hostname": "host_ip",
"port": 389
}
],
"names": {
"bindDN": "CN=admin,DC=drem,DC=io",
"bindMethod": "UNAUTHENTICATED",
"bindPassword": "admin",
"baseDN": "dc=drem,dc=io",
"userFilter": "&(objectClass=posixAccount)",
"userAttributes": {
"baseDNs": [
"OU=Users,OU=ldaptest,DC=drem,DC=io",
],
"id": "uid",
"firstname": "givenName",
"lastname": "sn",
"email": "mail"
},
"userGroupRelationship": "GROUP_ENTRY_LISTS_USERS",
"groupEntryListsUsers": {
"userEntryUserIdAttribute": "uid",
"groupEntryUserIdAttribute": "memberUid"
},
"groupDNs": ["cn={0},OU=test,OU=ldaptest,DC=drem,DC=io",
"cn={0},OU=dev,OU=ldaptest,DC=drem,DC=io"],
"groupFilter": "|(objectClass=posixGroup)(objectClass=sub)",
"autoAdminFirstUser": false
}
}
Bind Password Options
Dremio offers several options for managing the bind password.
Encryption
For customers with stringent security standards and requirements, password encryption provides a secure method for communicating key information with the LDAP service. Encryption is accomplished using the CLI command dremio-admin encrypt
.
To encrypt the bind password, follow these steps:
-
Run
LDAP secret Encryptiondremio-admin encrypt
as thedremio
service user.sudo su - dremio bin/dremio-admin encrypt <yourSecret>
If running the command as the
dremio
user is impossible, change the owner and group of the$DREMIO_HOME/data/security
folder and underlying files to thedremio
service user.Dremio outputs:
Example LDAP Encryption Outputsecret:1.FxLevnDdoHx58x7VZmBpNExUiM76_u7XAXo1SJ8mCJxzeC1SirK2Jm5aBRR-h2_r8iypOAcRYSzH4uyP33Vg6Fh94bV6evuQ.wENZ7fgdJBw92wy4DiPhpJRzNP07wBaVpspv8KygjMfYV2en3YPFZw==
-
Copy the entire output to
bindPassword
inad.json
. -
Copy the modified
ad.json
file to every coordinator node in the Dremio cluster.
Other Bind Password Options
Other options are available for bindPassword
:
-
env
: thebindPassword
is set toenv:ldap
with the environment variable set by the commandexport ldap <secret>
where<secret>
is the output. -
file
: thebindPassword
is set tofile:///tmp/test.file
where the file specified contains the output secret. -
data
: The secret is in base64 format. The bindPassword is then set todata:text/plain;base64,SGVsbG8sIFdvcmxkIQ==
.
Options env
and file
apply to the local node. If you use a multi-coordinator configuration, you must do this for each coordinator node. However, this method contains the raw secret in the env
scheme and file. Only secret
uses an encrypted secret.
Admin Users
To specify users/groups as administrators up-front, during initial login:
-
In the
Set autoAdminFirstUser to falsead.json
file, setautoAdminFirstUser
to false."autoAdminFirstUser": false
-
Create a file called
bootstrap-admin-users.json
under the Dremio configuration directory. -
In
Example settings for users and groups propertiesbootstrap-admin-users.json
, add theusers
andgroups
arrays and specify the names of the users and groups that should belong to theADMIN
role. Use the Common Name (CN) for each user and group you list in the arrays.{
users: ["joe", "bob"],
groups: ["marketers", "sales wizards"]
}When you set
autoAdminFirstUser
tofalse
, then you must specify users/groups in abootstrap-admin-users.json
file. Otherwise, an administrator won't be specified. The users/groups specified in thebootstrap-admin-users.json
file are used only during initial login and whenautoAdminFirstUser
is set tofalse
. To add other users or groups to theAdmin
role after the initial login, use the Dremio console.