How can I query into multiple Active Directory (AD) domains to search for users when configuring access to Arcadia through LDAP?

Scenario:

When provisioning Arcadia access through LDAP, you may have users in Active Directory that are organized in multiple domains (i.e. “america” and “emea”). You can modify your AUTH_LDAP_USER_SEARCH and AUTH_LDAP_GROUP_SEARCH to use the LDAPSearchUnion class to do multiple domain searches within Active Directory to find your users when they attempt to authenticate in Arcadia.

NOTE: Your LDAP Bind user must have access to search high enough in the LDAP tree to find users in both domains.

Step 1: Add LDAPSearchUnion class to your list of ldap library imports at the top of your Arcadia LDAP configuration, which can be found in the Arcadia Visualization Server Safety Valve (settings_cm.py) configuration in Cloudera Manager, or Arcviz Settings in Ambari:

Original ldap library imports:

import ldap
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType

Update ldap library imports:

import ldap
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType, LDAPSearchUnion

Step 2: Update the AUTH_LDAP_USER_SEARCH and AUTH_LDAP_GROUP_SEARCH settings in your LDAP configuration settings, which can be found in the Arcadia Visualization Server Safety Valve (settings_cm.py) configuration in Cloudera Manager, or Arcviz Settings in Ambari:

Original User Search DN:

AUTH_LDAP_USER_SEARCH = LDAPSearch("DC=america,DC=arcadia,DC=com",
    ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")

Updated User Search DN to search both “america” and “emea” domains:

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch("DC=america,DC=arcadia,DC=com",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
    LDAPSearch("DC=emea,DC=arcadia,DC=com",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)

Original Group Search DN:

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=Groups,DC=america,DC=arcadia,DC=com",
                  ldap.SCOPE_SUBTREE, "(objectClass=group)")

Updated Group Search DN to search both “america” and “emea” domains:

AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
    LDAPSearch("OU=Groups,DC=america,DC=arcadia,DC=com",ldap.SCOPE_SUBTREE, "(objectClass=group)"),
    LDAPSearch("OU=Groups,DC=emea,DC=arcadia,DC=com",ldap.SCOPE_SUBTREE, "(objectClass=group)")
)