Re: [druid-user] LDAP || Issue

Hi Hassain ,

Can you check if there is any error in the coordinator log.

druid_admin user exists in ldap ?

  1. all the ldap user has to add to using below curl commands…?
    /druid-ext/basic-security/authentication/db/ldap/users/{AD user}

/druid-ext/basic-security/authorization/db/ldapauth/users/{AD USER}

Yes . Alternatively you can create group in LDAP and provide access to group .

  1. how to control access to specific tables while accesing through druid sql…?
    Yes, you can do this . Ref : https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html#coordinator-security-api

Hi,

I am also struggling with the same issue. Do you know what should be the value for

druid.auth.authenticator.ldap.credentialsValidator.bindUser=
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=

Hi Rakesh,

The bind user is the user that will authenticate against LDAP. This admin user and their password are something the LDAP administrator should be able to provide, not something set anywhere on the druid side. Hopefully that helps!

Thanks,
Max

Hi Max,

Thanks a lot for the explanation. It helps a lot.
Follow up question
The below two properties are used to set up credentials for internal communication between different process rt? (like coordinator, historical etc …)

druid.escalator.internalClientUsername=
druid.escalator.internalClientPassword=
Does druid creates these credentials when given and maintains it for further communications between the services ?

Hi Rakesh,

The escalator is an LDAP user that will be used for internal druid communications. The druid docs walk you through it here: https://druid.apache.org/docs/latest/operations/auth-ldap.html#configure-druid-user-authentication-with-ldapactive-directory

Essentially, it is another user created in LDAP with credentials provided to druid.

Thanks,
Max

Hi Max,

So I can use the same credentials for testing right ? unless it exists in LDAP.
Also may be a naive question but for bindUser and bindPassword, is there any pattern used to bind the user and password as this value will be dynamic depending on who is trying to authenticate.
something like
bindUser=${USER}

bindPassword=${PASSWORD}

Hi Rakesh,

I believe you should be able to use the same credentials for testing.

The bind user is not whatever user is logging in to druid. It is a special user for LDAP that is used to get access to LDAP in the first place. Then that access is used to actually authenticate the Druid user with LDAP.

Hi Max,

Thanks for sharing all the information. I am getting the same error as mentioned in the first message in this thread
error:

Thank you very much for the help. I was able to do it. Providing the configs below for reference with your explanations inline.

druid.auth.authenticatorChain=[“ldap”]
druid.auth.authenticator.ldap.type=basic

determines if the authenticator config changes has to be notified immediately or wait till polling

druid.auth.authenticator.ldap.enableCacheNotifications=false
druid.auth.authenticator.ldap.credentialsValidator.type=ldap

your ldap url

druid.auth.authenticator.ldap.credentialsValidator.url=ldap***

this is is special user for LDAP that is used to get access to LDAP in the first place. Then that access is used to actually authenticate the Druid user with LDAP. Please note that the value can be different according to the LDAP server url and search pattern. In my case only providing name was not working.

druid.auth.authenticator.ldap.credentialsValidator.bindUser=xyz

druid.auth.authenticator.ldap.credentialsValidator.bindPassword=123
druid.auth.authenticator.ldap.credentialsValidator.baseDn=cn=,dc=,dc=**

druid.auth.authenticator.ldap.credentialsValidator.userSearch=(uid=%s)
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=cn
druid.auth.authenticator.ldap.authorizerName=ldapauth
druid.escalator.type=basic

the escalator is an LDAP user that will be used for internal druid communications. Essentially, it is another user created in LDAP with credentials provided to druid. For initial testing we can have the bind and escalator credentials same.

druid.escalator.internalClientUsername=xyz
druid.escalator.internalClientPassword=123

druid.escalator.authorizerName=ldapauth
druid.auth.authorizers=[“ldapauth”]
druid.auth.authorizer.ldapauth.type=basic
druid.auth.authorizer.ldapauth.initialAdminUser=xyz
druid.auth.authorizer.ldapauth.initialAdminRole=admin
druid.auth.authorizer.ldapauth.roleProvider.type=ldap