Skip to main content

Streamsets Data Collector authentication through LDAP

StreamSets Data Collector (SDC) allows user authentication based on files or LDAP. By default, Data Collector uses file authentication. This post gives you details on how to switch to use your company's LDAP.

To enable LDAP authentication you need to perform the following tasks:
- Configure the LDAP properties for the Data Collector configuration editing the $SDC_CONF/sdc.properties file:
     - set the value of the http.authentication.login.module property to ldap
     - configure the value of the http.authentication.ldap.role.mapping property to map your LDAP groups to Data Collector roles following this syntax:
            <LDAP_group>:<SDC_role>,<additional_SDC_role>,<additional_SDC_role>
        Multiple roles can be mapped to the same group or vice versa. You need to use a semicolon to separate LDAP groups and commas to separate Data Collector roles. Here's an example:
            http.authentication.ldap.role.mapping=LDAP000:admin;LDAP001:creator,manager;LDAP002:guest
        The roles you can use are the same (admin, manager, creator, guest) available by default in SDC for the authentication based on files.
         By default, this property is empty, but it is mandatory to set it when http.authentication.login.module=ldap.
 - Configure the LDAP connection information editing the $SDC_CONF/ldap-login.conf file like in the following example:
     ldap {
         com.streamsets.datacollector.http.LdapLoginModule required
         debug="false"
         useLdaps="false"
         contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
         hostname="ldaphost.yourcompany.com"
         port="389"
         bindDn=""
         bindPassword=""
         authenticationMethod="simple"
         forceBindingLogin="true"
         userBaseDn="ou=ldappages,o=yourcompany.com"
         userRdnAttribute="uid"
         userIdAttribute="mail"
         userPasswordAttribute="userPassword"
         userObjectClass="person"
         roleBaseDn="ou=yourcompanygroups,o=yourcompany.com"
         roleNameAttribute="cn"
         roleMemberAttribute="uniquemember"
         roleObjectClass="groupOfUniqueNames";
     };
where
  • debug: enables debugging.
  • useLdaps: enables using LDAP over SSL.
  • contextFactory: the initial LDAP context factory. You could leave the default value com.sun.jndi.ldap.LdapCtxFactory
  • hostname: the LDAP server name.
  • port: the LDAP server port.
  • bindDn: the root distinguished name.
  • bindPassword: the connection password. The value can be set here or in a file and then set the reference to that file here.
  • authenticationMethod: the authentication method. You could leave the default value, simple
  • forceBindingLogin: determines if binding login checks are performed. Two possible values for this property. When true, SDC passes the user credentials inputted through the login form to the LDAP server for authentication. When false, SDC performs authentication based on the information received by the LDAP server.
  • userBaseDn: the base distinguished name under which user accounts are located.
  • userRdnAttribute: the name of the username attribute.
  • userIdAttribute: the name of the user ID attribute.
  • userPasswordAttribute: the name of the attribute where the user password is stored.
  • userObjectClass: the name of the user object class.
  • roleBaseDn: the base distinguished name to search for role membership.
  • roleNameAttribute: the name of the attribute for roles.
  • roleMemberAttribute: the name of the role attribute for user names.
  • roleObjectClass: the role object class.

In order to check for the proper objects classes, attribute names and values in your company's LDAP, you can use the ldapsearch command-line utility from a Linux machine. This is the syntax of the command in order to retrieve a given user information and the full list of properties for the user object:

ldapsearch -H ldap://<host>:<port> -D "BINDDN" -x -w 'PASSWORD' -b ROLEBASEDN

Example:

ldapsearch -H ldap://ldap.googlielmo.org:389 -D "" -x -w 'ldap123' -b "ou=ldap,o=googlielmo.org" "mail=john.smith@googlielmo.org"

Finally, don't forget to restart SDC to apply the configuration changes above.
Labels:

Comments

Post a Comment

Popular posts from this blog

Turning Python Scripts into Working Web Apps Quickly with Streamlit

 I just realized that I am using Streamlit since almost one year now, posted about in Twitter or LinkedIn several times, but never wrote a blog post about it before. Communication in Data Science and Machine Learning is the key. Being able to showcase work in progress and share results with the business makes the difference. Verbal and non-verbal communication skills are important. Having some tool that could support you in this kind of conversation with a mixed audience that couldn't have a technical background or would like to hear in terms of results and business value would be of great help. I found that Streamlit fits well this scenario. Streamlit is an Open Source (Apache License 2.0) Python framework that turns data or ML scripts into shareable web apps in minutes (no kidding). Python only: no front‑end experience required. To start with Streamlit, just install it through pip (it is available in Anaconda too): pip install streamlit and you are ready to execute the working de...
14 comments
Read more

Load testing MongoDB using JMeter

Apache JMeter ( http://jmeter.apache.org/ ) added support for MongoDB since its 2.10 release. In this post I am referring to the latest JMeter release (2.13). A preliminary JMeter setup is needed before starting your first test plan for MongoDB. It uses Groovy as scripting reference language, so Groovy needs to be set up for our favorite load testing tool. Follow these steps to complete the set up: Download Groovy from the official website ( http://www.groovy-lang.org/download.html ). In this post I am referring to the Groovy release 2.4.4, but using later versions is fine. Copy the groovy-all-2.4.4.jar to the $JMETER_HOME/lib folder. Restart JMeter if it was running while adding the Groovy JAR file. Now you can start creating a test plan for MongoDB load testing. From the UI select the MongoDB template ( File -> Templates... ). The new test plan has a MongoDB Source Config element. Here you have to setup the connection details for the database to be tested: The Threa...
40 comments
Read more

Evaluating Pinpoint APM (Part 1)

I started a journey evaluating Open Source alternatives to commercial New Relic and AppDynamics tools to check if some is really ready to be used in a production environment. One cross-platform Application Performance Management (APM) tool that particularly caught my attention is Pinpoint . The current release supports mostly Java applications and JEE application servers and provides support also for the most popular OS and commercial relational databases. APIs are available to implement new plugins to support specific systems. Pinpoint has been modeled after Google Dapper and promises to install agents without changing a single line of code and mininal impact (about 3% increase in resource usage) on applications performance. Pinpoint is licensed under the Apache License, Version 2.0 . Architecture Pinpoint has three main components:  - The collector: it receives monitoring data from the profiled applications. It stores those information in HBase .  - The web UI: the f...
4 comments
Read more