OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). In E-MapReduce (EMR) clusters, OpenLDAP manages user accounts and authenticates identities for open source services.
Integrate a service with OpenLDAP
Knox is integrated with OpenLDAP by default in an EMR cluster. When you access service web UIs from the Access Links and Ports tab in the EMR console, Knox uses OpenLDAP to authenticate your identity.
The following open source services support LDAP authentication in EMR. Enable LDAP authentication for each service separately — the procedure varies by service.
| Service | Topic |
|---|---|
| Hive | Use LDAP authentication |
| Spark | Manage LDAP authentication |
| Impala | Manage LDAP authentication |
| Trino | Manage LDAP authentication |
| Presto | Manage LDAP authentication |
| Kafka | Configure an LDAP user for authentication |
For services not listed above, refer to the open source community documentation to enable LDAP authentication manually. Use the following connection parameters for your EMR cluster's OpenLDAP instance.
| Parameter | Description | Default value |
|---|---|---|
| Service address | The LDAP URL for connecting to OpenLDAP. For high-availability clusters, specify both addresses. |
Common cluster: High-availability cluster: |
| BaseDN | The Distinguished Name (DN) that defines the root of the directory tree where user entries are stored. For example, ou=people,o=emr means users are stored under the people organizational unit in the emr organization. Find the value in the user_base_dn parameter on the Configure tab of the OpenLDAP service page. |
ou=people,o=emr |
| adminDN | The DN for the admin account used to bind to the LDAP directory. Find the value in the admin_dn parameter on the Configure tab of the OpenLDAP service page. |
uid=admin,o=emr |
| Admin password | The password for the adminDN account. Find the value in the admin_pwd parameter on the Configure tab of the OpenLDAP service page. |
— |
Manage LDAP users
Add LDAP users from the Users tab in the EMR console. This creates a user in OpenLDAP with the same name as an Alibaba Cloud RAM user. For more information, see Manage user accounts.
To manage users directly through the command line, use OpenLDAP CLI commands such as ldapadd, ldapdelete, and ldapmodify, or use an LDIF file. For details, see the OpenLDAP documentation.