Using LDAP

[info] Enterprise Edition only

To establish LDAP authentication, do the following prior to deploying the Dremio cluster:

  1. Configure Dremio to use LDAP authentication (via the dremio.conf file).
  2. Configure LDAP (via the ad.json file).

Once the cluster is configured and deployed in LDAP mode,

  • Dremio uses the users and groups defined in LDAP. Administrators cannot create additional users within Dremio.
  • The first user to login with valid LDAP credentials is marked as the Administrator. At this point, other groups/users can be assigned as administrators.

[info] Important

The LDAP configuration in the dremio.conf and ad.json files must exist and match on all coordinator nodes.

Configuring Dremio for LDAP

[warning] Warning

Dremio does not allow switching between authentication modes: LDAP vs Dremio authentication. If you are switching from Dremio authentication to LDAP authentiation (or vice versa), you must reinstall Dremio (which results in losing all VDSs, reflections, etc.) and establish your chosen authentication method.

To configure Dremio for LDAP, edit the dremio.conf file, and add the following properties:

services: {
  coordinator.enabled: true,
  coordinator.web.auth.type: "ldap",
  coordinator.web.auth.ldap_config: "ad.json"
}

Configuring LDAP

To configure LDAP, edit the ad.json file and add your properties.

This file located under the Dremio configuration directory (same as dremio.conf path) and is specified in the dremio.conf file as a coordinator service.

Required Properties

  • bindMethod -- Authentication method: UNAUTHENTICATED/ANONYMOUS/SIMPLE_BIND. Default: SIMPLE_BIND. If this property is not specified, authentication defaults to SIMPLE_BIND mode.
    • SIMPLE_BIND -- Connect and authenticate to LDAP server using bindDN and bindPassword.
    • ANONYMOUS -- Connect anonymously to the LDAP server. Note: When authenticating to Dremio, empty passwords for users are not allowed.
    • UNAUTHENTICATED -- Connect to LDAP server using an unauthenticated bind. bindDN is required.
  • bindDN -- Credentials for the user who connects from the Dremio LDAP client to the LDAP server.
    For example: "CN=admin,DC=drem,DC=io". If you are using ANONYMOUS mode, this property must not be present.
  • bindPassword -- Password credential for the user who connects from the Dremio LDAP client to the LDAP server. If you are using UNAUTHENTICATED or ANONYMOUS mode, this property must not be present.
  • baseDN -- The root path for all searches. If userAttributes.baseDNs or groupAttributes.baseDNs are specified, they override baseDN for search purposes.
  • userFilter -- LDAP filter for validating users. Only users who fit the criteria set here will be allowed to authenticate.
  • groupFilter -- LDAP filter for groups.
  • groupMembership -- Attribute of a user or a group that tells what groups they belong to.
  • groupRecursive -- Attribute of a user or a group that lists transitive group membership.
    For example, if Dan is part of the BI group. And the BI group is part of the engineering group, groupMembership attribute will contain only BI group but the groupRecursive attribute will contain engineering.

User Attribute-based Properties

Specify a list of baseDNs and id -- the login attribute name (e.g. sAMAccountName) properties in the ad.json file.

[info] These attribute-based properties are recommended.

A mapping of LDAP user attributes to Dremio user attributes should include baseDNs, searchScope, id, firstname, lastname, and email.

  • baseDNs -- All the baseDNs Dremio will search for users under.
  • id -- Attribute for the login name. Defaults to sAMAccountName.
  • searchScope -- Scope of user searches:
    • SUB_TREE -- Searches subtrees below the specified baseDNs (default).
    • ONE -- Searches immediate children below the specified baseDNs.
    • BASE -- Match the exact entry.
  • firstname -- Attribute for first name.
  • lastname -- Attribute for last name.
  • email -- Attribute for email address.

[info] In the attribute-based approach, userDNs field must not be specified.

Example: userAttributes

"userAttributes": {
    "baseDNs": [
        "OU=test,OU=ad,DC=drem,DC=io"
    ],
    "searchScope": "SUB_TREE",
    "id": "sAMAccountName",
    "firstname": "givenName",
    "lastname": "sn",
    "email": "mail"
}

User DN-based Properties

To specify a list of templates for user DNs, use the following properties:

  • userDNs -- List of templates for user DNs.
  • userAttributes -- A mapping of LDAP user attributes to Dremio user attributes. This should include firstname, lastname and email:
    • firstname -- Attribute for first name.
    • lastname -- Attribute for last name.
    • email -- Attribute for email address.

[info] In the DN-based approach, the baseDNs, searchScope, id properties cannot be specified under userAttributes.

Example: userDNs

In the following example, The placeholder {0} is replaced with the username entered by the user and that DN is used during LDAP bind. Dremio attempts binding to the provided userDNs in the order they are specified.

"userDNs": ["cn={0},dc=staticsecurity,dc=dremio,dc=com"],
"userAttributes": {
    "firstname": "givenName",
    "lastname": "sn",
    "email": "mail"
}

To specify a list of templates for group DNs, add the following properties:

  • groupDNs -- List of templates for group DNs.

[info] In the DN-based approach, the groupAttributes property must not be specified.

Example: groupDNs

"groupDNs": ["cn={0},OU=engg,OU=test,OU=ad,DC=drem,DC=io"]

The placeholder {0} is replaced with the group name entered by the user. Dremio attempts searching given groupDNs in the order they are specified.

Group Attribute-based Properties

To use group attributes, specify a list of baseDNs and group name IDs.

These properties map LDAP group attributes to Dremio group attributes. The baseDNs, searchScope, id properties should be included.

  • baseDNs -- All the baseDNs under which Dremio searches for groups.
  • id -- Attribute for group names. Default: CN.
  • searchScope -- Scope of user searches:
    • SUB_TREE -- Searches subtrees below the specified baseDNs (default).
    • ONE -- Searches immediate children below the specified baseDNs.
    • BASE -- Match the exact entry.

[info] In the attribute-based approach, groupDNs field must not be specified.

Example: groupAttributes

"groupAttributes" : {
    "baseDNs": ["dc=roles,dc=dremio,dc=com"],
    "searchScope": "SUB_TREE",
    "id": "CN"
 }

Limiting Access

Access can be limited by setting the userFilter property.

Example: Limiting access

The following example limits access to members of the engineering group.

userFilter: "&(objectClass=user)(memberOf=cn=engineering,OU=Groups,OU=ad,DC=ad,DC=drem,DC=io)",

Securing the Connection

To secure the LDAP connection, specify one of the following connection modes in the LDAP configuration file under connectionMode:

  • PLAIN -- Dremio uses an unencrypted connection.
  • ANY_SSL -- Dremio's LDAP client trusts any certificate presented by the LDAP server.
  • TRUSTED_SSL -- Dremio's LDAP client will trust certificates signed by a Certificate Authority;
    no extra configuration is required. If the LDAP server has a self-signed certificate, a trustStore with the public certificate needs to be passed in as a JVM argument.

Example: PLAIN mode

"connectionMode": "PLAIN",

Example: TRUSTED_SSL mode

// ad.json entry for TRUSTED_SSL mode
"connectionMode": "TRUSTED_SSL",


// dremio.conf entry for TRUSTED_SSL mode with a self-signed certificate**
javax.net.ssl {
    trustStore: "<path/to/truststore/jks/file>",
    trustStorePassword: "trustStorePassword"
    }

Sample Microsoft AD Configuration

{
    "connectionMode": "PLAIN",
    "servers": [
        {
            "hostname": "<LDAP_HOST>",
            "port": 389
        }
    ],
    "names": {
        "bindDN": "CN=Admin,OU=Users,OU=ad,DC=drem,DC=io",
        "bindPassword": "password",
        "baseDN": "dc=dremio,dc=io",
        "userFilter": "&(objectClass=user)(|(memberOf=CN=QA,OU=temps,OU=test,OU=ad,DC=drem,DC=io)(memberOf=CN=qa,OU=engg,OU=test,OU=ad,DC=drem,DC=io))",
        "userAttributes": {
            "baseDNs": [
                "OU=test,OU=ad,DC=drem,DC=io"
            ],
            "searchScope": "SUB_TREE",
            "id": "sAMAccountName",
            "firstname": "givenName",
            "lastname": "sn",
            "email": "mail"
        },
        "groupMembership": "memberOf",
        "groupRecursive": "transitive-memberOf",
        "groupDNs": ["cn={0},OU=engg,OU=test,OU=ad,DC=drem,DC=io"],
        "groupFilter": "(objectClass=group)",
        "autoAdminFirstUser": true
    }
}

Granting Admin Privileges at Configuration Time

By default, the first valid LDAP user to log in to Dremio is given the Admin role. This is done via the autoAdminFirstUser : true property in the ad.json file. The assignment of the first valid user to Admin occurs during initial login.

Alternatively, you can specify a list of users and/or groups to be given the Admin role. This is valid only during initial login; it is used for boot-strapping only.

[warning] Warning

When you set autoAdmiFirstUser to false, then you must specify users/groups in a bootstrap-admin-users.json file. Otherwise, an administrator won't be a specified.

To specify users/groups as administrators up-front, during initial login:

  1. In the ad.json file, set autoAdminFirstUser to false.

     autoAdminFirstUser : false
    
  2. Create a file called bootstrap-admin-users.json under the Dremio configuration directory and add users and groups property information.

For example:

    {
    users: ["joe", "bob"]
    groups: ["marketers", "sales wizards"]
    }

[info] Note: The users/groups specified in the bootstrap-admin-users.json file are used only during initial login and only when autoAdminFirstUser is set to false.

To add other Users/Groups to the Admin role after the initial login, use the Dremio UI.


results matching ""

    No results matching ""