LDAP Integration
HEAVY.AI supports LDAP authentication using an IPA Server or Microsoft Active Directory.
You can configure HEAVY.AI Enterprise edition to map LDAP roles 1-to-1 to HEAVY.AI roles. When you enable this mapping, LDAP becomes the main authority controlling user roles in HEAVY.AI.
LDAP mapping is available only in HEAVY.AI Enterprise edition.
HEAVY.AI supports five configuration settings that allow you to integrate with your LDAP server.
Parameter | Description | Example |
| LDAP server host or server URI. | |
| LDAP distinguished name (DN). | |
| Returns the role names a user belongs to in the LDAP. | |
| Applies a regex filter to find matching roles from the roles in the LDAP server. | |
| Identifies one of the filtered roles as a superuser role. If a user has this filtered ldap role, the user is marked as a superuser. | |
Obtaining Credential Information
To find the ldap-role-query-url
and ldap-role-query-regex
to use, query your user roles. For example, if there is a user named kiran on the IPA LDAP server ldap://myldapserver.mycompany.com
, you could use the following curl command to get the role information:
When successful, it returns information similar to the following:
ldap-dn
matches the DN, which isuid=kiran,cn=users,cn=accounts,dc=mycompany,dc=com
.ldap-role-query-url
includes the LDAP URI + the DN + the LDAP attribute that represents the role/group the member belongs to, such as memberOf.ldap-role-query-regex
is a regular expression that matches the role names. The matching role names are used to grant and revoke privileges in HEAVY.AI. For example, if we created some roles on an IPA LDAP server where the role names begin with MyCompany_ (for example, MyCompany_Engineering, MyCompany_Sales, MyCompany_SuperUser), the regular expression can filter the role names using MyCompany_.ldap-superuser-role
is the role/group name for HEAVY.AI users who are superusers once they log on to the HEAVY.AI database. In this example, the superuser role name is MyCompany_SuperUser.
Make sure that LDAP configuration appears before the [web]
section of heavy.conf
.
Double quotes are not required for LDAP properties in heavy.conf
. For example, both of the following are valid:
ldap-uri = "ldap://myldapserver.mycompany.com"
ldap-uri = ldap://myldapserver.mycompany.com
Setting Up LDAP with HEAVY.AI
To integrate LDAP with HEAVY.AI, you need the following:
A functional LDAP server, with all users/roles/groups created (
ldap-uri
,ldap-dn
,ldap-role-query-url
,ldap-role-query-regex
, andldap-superuser-role
) to be used by HEAVY.AI. You can use thecurl
command to test and find the filters.A functional HEAVY.AI server, version 4.1 or higher.
Once you have your server information, you can configure HEAVY.AI to use LDAP authentication.
Locate the
heavy.conf
file and edit it to include the LDAP parameter. For example:Restart the HEAVY.AI server:
Log on to
heavysql
as MyCompany user, or any user who belongs to one of the roles/groups that match the filter.
When you use LDAP authentication, the default admin user and password HyperInteractive do not work unless you create the admin user with the same password on the LDAP server.
If your login fails, inspect $HEAVYAI_STORAGE/mapd_log/heavyai_server.INFO
to check for any obvious errors about LDAP authentication.
Once you log in, you can create a new role name in heavysql
, and then apply GRANT/REVOKE privileges to the role. Log in as another user with that role and confirm that GRANT/REVOKE works.
If you refresh the browser window, you are required to log in and reauthenticate.
Using LDAPS
To use LDAPS, HEAVY.AI must trust the LDAP server's SSL certificate. To achieve this, you must have the CA for the server's certificate, or the server certificate itself. Install the certificate as a trusted certificate.
IPA on CentOS
To use IPA as your LDAP server with HEAVY.AI running on CentOS 7:
Copy the IPA server CA certificate to your local machine.
Update the PKI certificates.
Edit
/etc/openldap/ldap.conf
to add the following line.Locate the
heavy.conf
file and edit it to include the LDAP parameter. For example:Restart the HEAVY.AI server:
IPA on Ubuntu
To use IPA as your LDAP server with HEAVY.AI running on Ubuntu:
Copy the IPA server CA certificate to your local machine.
Rename
ipa-ca.crm
toipa-ca.crt
so that the certificates bundle update script can find it:Update the PKI certificates:
Edit
/etc/openldap/ldap.conf
to add the following line:Locate the
heavy.conf
file and edit it to include the LDAP parameter. For example:Restart the HEAVY.AI server:
Active Directory
1. Locate the heavy.conf
file and edit it to include the LDAP parameter.
Example 1:
Example 2:
2. Restart the HEAVY.AI server:
Other LDAP user authentication attributes, such as userPrincipalName, are not currently supported.