1. Select Clusters > Cloudera Management Service.
2. Click the Configuration tab.
3. Click the Configuration tab.
4. Select Scope > Navigator Metadata Server.
5. Select Category > External Authentication.
6. In the External Authentication Type, select LDAP.
7. In the LDAP URL property, provide the URL of the LDAP server and (optionally) the base Distinguished Name (DN) (the search base) as part of the URL. For example:

   ldap://ldap-server.corp.com/dc=corp,dc=com

8. In the LDAP Bind User Distinguished Name property, enter the LDAP account that has permission to query the LDAP database of user accounts on behalf of Cloudera Navigator.

   This can be specified as the full distinguished name (cn=account,ou=people,dc=corp,dc=region) or as only the common name (user@domain). Use the same format as the string used for Cloudera Manager LDAP configuration.

9. In the LDAP Bind Password property, enter the password for the bind user entered above.
10. To use a distinguished name pattern, enter the pattern in the LDAP Distinguished Name Pattern property, as follows:
    • Use {0} to substitute the username field (entered by user at login) for the uid portion of the DN pattern. Cloudera Navigator uses the full string with the username (as uid) and passes to the external LDAP system to find and authenticate the user. For example, this pattern below searches the LDAP directory for user foo:

      uid=foo,ou=people,dc=corp,dc=com

    • The pattern does not need to include any attributes that have been specified in LDAP User Search Base and LDAP User Search Filter properties.
    • If the LDAP URL property includes the base DN, only the attributes not specified in the URL path need to be the pattern only needs to be set. For example, for an LDAP URL property set to:

      ldap://ldap-server.corp.com/dc=corp,dc=com

      only the uid and containing OU (ou=people) need to be specified. For example:

      uid={0},ou=people

11. You can also search using User or Group search filters, using the LDAP User Search Base, LDAP User Search Filter, LDAP Group Search Base and LDAP Group Search Filter settings. These allow you to combine a base DN with a search filter to allow a greater range of search targets.

    For example, if you want to authenticate users who may be in one of multiple OUs, the search filter mechanism will allow this. You can specify the User Search Base DN as dc=corp,dc=com and the user search filter as uid={0}. Then Cloudera Navigator will search for the user anywhere in the tree starting from the Base DN. Suppose you have two OUs—ou=Engineering and ou=Operations—Cloudera Navigator will find User "foo" if it exists in either of these OUs, that is, uid=foo,ou=Engineering,dc=corp,dc=com or uid=foo,ou=Operations,dc=corp,dc=com.

    You can use a user search filter along with a DN pattern, so that the search filter provides a fallback if the DN pattern search fails.

    The Groups filters let you search to determine if a DN or username is a member of a target group. In this case, the filter you provide can be something like member={0} where {0} will be replaced with the DN of the user you are authenticating. For a filter requiring the username, {1} may be used, as memberUid={1}. This will return a list of groups to which the user belongs.

12. Click Save Changes.
13. After changing the configuration settings, restart the Navigator Metadata Service: click the Instances tab on the Cloudera Management Service page, check Navigator Metadata Service, and click Actions for Selected > Restart.

If the LDAP server certificate has been signed by a public CA (certificate authority), such as Symantec, following the steps below is typically not necessary.

1. Copy the CA certificate file to the Cloudera Navigator Server host.
2. Import the CA certificate from the CA certificate file to the local truststore. The default truststore is located in the $JAVA_HOME/jre/lib/security/cacerts file. This contains the default CA information shipped with the JDK. Create an alternate default file called jssecacerts in the same location as the cacerts file. You can now safely append CA certificates for any private or public CAs not present in the default cacerts file, while keeping the original file intact.

Copy the default cacerts file into the new jssecacerts file, and then importing the CA certificate to this alternate truststore.

$ cp $JAVA_HOME/jre/lib/security/cacerts \
  $JAVA_HOME/jre/lib/jssecacerts

$ /usr/java/latest/bin/keytool -import -alias nt_domain_name \
-keystore /usr/java/latest/jre/lib/security/jssecacerts -file path_to_cert

1. Configure the LDAP URL property to use ldaps://ldap_server instead of ldap://ldap_server.