Can I specify more than one Active Directory (AD) group when configuring access to Arcadia through LDAP?

Use-case:

I’m setting up LDAP authentication with Arcadia Visualization Server, and as part of the configuration process I would like to restrict access to Arcadia through LDAP using Active Directory groups. However, instead of restricting access using only one AD group, I have users that are associated with multiple groups and it would be easier if I could just specify a list of groups instead.

NOTE: This is only possible for Arcadia 4.3+

Solution:

In our example LDAP authentication configuration template (http://documentation.arcadiadata.com/4.4.0.0/#pages/topics/ldap-edit-settings.html) there is a specific configuration section where you can specify the AD group you would like to use to restrict access to the Arcadia application when connecting through LDAP (in this case the group is called “arcviz users”):

# Required Group for all users
AUTH_LDAP_REQUIRE_GROUP = "CN=arcviz users,CN=Users,DC=arctest,DC=arcadiadata,DC=com"

By default, this pattern only allows you to enter one AD group to provision access to Arcadia. However, there are ways to create more complex conditional cases that enable you to allow access to one or more AD group, or simultaneously restrict access to Arcadia using an additional AD group.

Below is an example using the LDAPGroupQuery class to create a special conditional match where users would need to be in the “enabled” or “also_enabled” group and NOT in the “disabled” group.

from django_auth_ldap.config import LDAPGroupQuery

AUTH_LDAP_REQUIRE_GROUP = (
    (
        LDAPGroupQuery("cn=enabled,ou=groups,dc=example,dc=com") |
        LDAPGroupQuery("cn=also_enabled,ou=groups,dc=example,dc=com")
    ) &
    ~LDAPGroupQuery("cn=disabled,ou=groups,dc=example,dc=com")
)

This pattern is just a starting point, and should be modified to meet your exact use-case or matching criteria.

Furthermore, this code should replace your existing AUTH_LDAP_REQUIRE_GROUP section in your LDAP configuration template, which is stored in the Arcadia Visualization Server Safety Valve (settings_cm.py) in Cloudera Manager if you’re using CDH (Cloudera), or Arcviz Settings in Ambari if you’re using HDP (Hortonworks).

1 Like