All Products
Search

This Product

    E-MapReduce:Use LDAP authentication

    Document Center

    E-MapReduce:Use LDAP authentication

    Last Updated:Dec 01, 2025

    After LDAP authentication is enabled for a service, you must provide your LDAP username and password when you access the service. This improves the security of the service. You can enable LDAP authentication for a service in the EMR console by performing simple operations. This frees you from the complex configuration of LDAP authentication.

    Prerequisites

    You have created a DataLake or custom cluster and selected the Hive and OpenLDAP services. For more information, see Create a cluster.

    Enable LDAP authentication with one click

    1. Add an EMR user. For more information, see Add a user.

    2. Go to the Services tab.

      1. Log on to the EMR console.

      2. In the left-side navigation pane, click EMR on ECS.

      3. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.

      4. On the EMR on ECS page, find the desired cluster and click Services in the Actions column.

    3. Enable LDAP authentication.

      1. On the Services tab, click Status in the Hive section.

      2. Turn on the enableLDAP switch.

        • For EMR V5.11.1 or later and EMR V3.45.1 or later

          1. In the Service Overview section, turn on the enableLDAP switch.

          2. In the dialog box, click OK.

        • For EMR V5.11.0 or earlier and EMR V3.45.0 or earlier

          1. In the Components section, find HiveServer and in the Actions column, select more > enableLDAP.

          2. In the dialog box that appears, enter an execution reason in the Execution Reason field and click OK.

          3. In the Confirm dialog box, click OK.

      3. Restart HiveServer.

        1. In the Component section, click Restart in the Actions column of HiveServer.

        2. In the dialog box that appears, enter a reason in the Execution Reason field and click OK.

        3. In the Confirm dialog box, click OK.

    4. Connect to HiveServer.

      After you enable LDAP authentication, you must use LDAP credentials to connect to HiveServer.

      1. Log on to your cluster in SSH mode. For more information, see Log on to a cluster.

      2. Run the following command to connect to HiveServer.

        • Beeline client:

          beeline -u jdbc:hive2://master-1-1:10000 -n <user> -p <password>

        • Java Database Connectivity (JDBC):

          jdbc:hive2://master-1-1:10000/default;user=<user>;password=<password>
        Note

        In the command, <user> is the LDAP username and <password> is the LDAP password. These are the credentials for the user that you added in Step 1.

    Manually configure LDAP authentication

    The EMR console provides an enableLDAP switch that you can use to enable LDAP authentication. However, if you use an earlier version of EMR or need to connect to a self-managed LDAP service, you must manually configure LDAP authentication for HiveServer2.

    On the Configure page of the Hive service, add the following configuration items to the hiveserver2-site.xml tab. For more information, see Manage configuration items.

    Configuration item

    Reference value

    Description

    hive.server2.authentication

    LDAP

    Specifies the authentication method for HiveServer2.

    hive.server2.authentication.ldap.url

    ldap://{ldap_hostname}:{port}

    Example: ldap://master-1-1:10389

    Specifies the URL to connect to the LDAP service. Configure this URL as needed.

    • {ldap_hostname}: The hostname or IP address of the LDAP service. If you connect to the LDAP service of an EMR cluster, the hostname is typically emr-header-1.

    • {port}: The port of the LDAP service. The port for the LDAP service of an EMR cluster is 10389. For a self-managed LDAP service, specify the port as needed.

    hive.server2.authentication.ldap.baseDN

    ou=people,o=emr

    The base distinguished name (DN) of a user in the LDAP service. For the LDAP service of an EMR cluster, use ou=people,o=emr. For a self-managed LDAP server, set the value as needed.

    Specify user access to Hive

    If LDAP authentication is enabled for the Hive service in your cluster, you can add or modify the following configuration items to grant access to specific users.

    Configuration settings

    1. On the Configure page of the Hive service in the EMR console, on the hiveserver2-site.xml tab, add or modify the following configuration items.

      Configuration item

      Example configuration value

      Configuration type

      Note

      hive.server2.authentication.ldap.userDNPattern

      uid=%s,ou=people,o=emr

      Add

      The User DN pattern defines the search path for a user in LDAP. The %s placeholder is replaced with the actual username.

      hive.server2.authentication.ldap.groupFilter

      username

      Add

      A filter for user groups. Only users that belong to the specified groups can access HiveServer2. Use a comma to separate multiple user groups.

      hive.server2.authentication.ldap.groupClassKey

      posixGroup

      Add

      The value of the objectClass property for a group object in LDAP.

      hive.server2.authentication.ldap.groupMembershipKey

      memberUid

      Add

      The property name for storing member information in the LDAP group object.

      hive.server2.authentication.ldap.baseDN

      o=emr

      Modify

      The base DN for LDAP searches. The existing configuration must be modified to a base path that is suitable for group filtering.

    2. Save the configurations.

    3. Restart the HiveServer2 service to apply the changes.

    Connection verification

    After you enable LDAP authentication and configure the corresponding users, you must use the credentials of a specified user to connect to HiveServer.

    1. Connect to the cluster using SSH. For more information, see Log on to a cluster.

    2. Run the following command to connect to HiveServer.

      • Beeline client:

        beeline -u jdbc:hive2://master-1-1:10000 -n <user> -p <password>

      • JDBC:

        jdbc:hive2://master-1-1:10000/default;user=<user>;password=<password>
      Note

      In the command, <user> specifies the user configured in the hive.server2.authentication.ldap.groupFilter configuration item, and <password> specifies the password for that user. These are the credentials for the user that you added in Step 1.

    FAQ

    How do I resolve a connection error that occurs after I enable LDAP authentication for Hive?

    • Symptom: The following error message appears when you run a beeline command to connect to Hive.

      image

    • Cause: The user specified in the beeline connection command failed LDAP authentication.

    • Add the current user to the hive.server2.authentication.ldap.groupFilter configuration item in the hiveserver2-site.xml file. Alternatively, connect to Hive using a user that is already specified in the hive.server2.authentication.ldap.groupFilter configuration item of the hiveserver2-site.xml file.