In order to map LDAP to Control Hub, we need to keep in mind that the association between users and groups are made automatically. Below the steps you should follow to set up LDAP:
1. Create a group in Control Hub you want to map to LDAP and be sure that LDAP groups field matches with the group that already exists in the LDAP server.
2. Create a User you want to map to the group you just created and make sure that LDAP Username field matches with a username that already exists and the user belong to this group.
In case it doesn't work as expected we can try the following troubleshooting :
- Make sure that SCH server has access to the LDAP server. You should test it independently of StreamSets
- Check if that the file security-app.properties are configured correctly according to the LDAP Server. Take special attention if these following lines are configured correctly - by default is not properly configured -
userGroupProvider.M.multi.AD.ldap.groupMemberAttribute = member
userGroupProvider.M.multi.AD.ldap.groupObjectClass = group
userGroupProvider.M.multi.AD.ldap.userObjectClass=OrganizationalPersonTake an example of a user and a group you would like to map in the control hub and try the following command:
ldapsearch -LLL -H ldaps://adc01.streamsets.net:636 -x -D 'danilo@streamsets.net' -w 'PASSWORD' -b 'ou=StreamSets,dc=streamsets,dc=net' -s sub '(&(objectclass=user)(sAMAccountName=danilo))'It will return the whole user schema which contains, among other things, the userobjectclass and the list of groups that the user belongs to. For example, you can see OrganizationalPerson in the userobject for the user Danilo.
Now, check the same but for the group scheme:
ldapsearch -LLL -H ldaps://adc01.streamsets.net:636 -x -D 'danilo@streamsets.net' -w 'yourpassword' -b 'ou=StreamSets,dc=streamsets,dc=net' -s sub '(&(objectclass=group)(cn=OpenVPNusers))
It will return the same but with the specified group, check if the object class for the group match with the one in the LDAP configuration, also with the group attribute name, in this case, "member" match with the line groupMemberAttribute. Notice that this last one comes in the list with the above command as a field and not as a value, E.g
ObjectClass: top
objectClass: group
cn: OpenVPNUsers
member: CN=Danilo Viana, OU=StreamSets,DC=streamsets,DC=netAlso, increase the de-bug level in the file: dpm-log4j.properties to add the following:
log4j.logger.com.streamsets.apps.security.authentication.ldap.LdapUserGroupProvider=TRACENote: There is a known issue (reported in DPM-6212) due to which users groups are not being fetched properly. Even though LDAP is case-insensitive by default, LDAP group to role mapping configuration in SCH is case sensitive. Search is working correctly but Application Mapping doesn't work properly. (Seen in SCH 3.9.0, SCH 3.14.0).
