Google Git
Sign in
apache / druid-website / 0a7b10843ee9e9aa28fe0f40c775b1416f1d7f4c / . / docs / 25.0.0 / operations / auth-ldap.html
blob: 3e5a89b53e2fb61b5886c7d5f7637fee0f5c4f65 [file] [log] [blame]
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Configure LDAP authentication ยท Apache Druid</title><meta name="viewport" content="width=device-width, initial-scale=1.0"/><link rel="canonical" href="https://druid.apache.org/docs/25.0.0/operations/auth-ldap.html"/><meta name="generator" content="Docusaurus"/><meta name="description" content="&lt;!--"/><meta name="docsearch:language" content="en"/><meta name="docsearch:version" content="25.0.0" /><meta property="og:title" content="Configure LDAP authentication ยท Apache Druid"/><meta property="og:type" content="website"/><meta property="og:url" content="https://druid.apache.org/index.html"/><meta property="og:description" content="&lt;!--"/><meta property="og:image" content="https://druid.apache.org/img/druid_nav.png"/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"/><link rel="shortcut icon" href="/img/favicon.png"/><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/docsearch.js@2/dist/cdn/docsearch.min.css"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"/><script async="" src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script><script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'UA-131010415-1');
</script><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css"/><link rel="stylesheet" href="/css/code-block-buttons.css"/><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><script type="text/javascript" src="/js/code-block-buttons.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/"><img class="logo" src="/img/druid_nav.png" alt="Apache Druid"/></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class=""><a href="/technology" target="_self">Technology</a></li><li class=""><a href="/use-cases" target="_self">Use Cases</a></li><li class=""><a href="/druid-powered" target="_self">Powered By</a></li><li class="siteNavGroupActive"><a href="/docs/25.0.0/design/index.html" target="_self">Docs</a></li><li class=""><a href="/community/" target="_self">Community</a></li><li class=""><a href="https://www.apache.org" target="_self">Apache</a></li><li class=""><a href="/downloads.html" target="_self">Download</a></li><li class="navSearchWrapper reactNavSearchWrapper"><input type="text" id="search_input_react" placeholder="Search" title="Search"/></li></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>โ€บ</i><span>Security</span></h2><div class="tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Getting started<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/index.html">Introduction to Apache Druid</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/index.html">Quickstart (local)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/single-server.html">Single server deployment</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/cluster.html">Clustered deployment</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Tutorials<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-batch.html">Load files natively</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-msq-extern.html">Load files using SQL ๐Ÿ†•</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-kafka.html">Load from Apache Kafka</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-batch-hadoop.html">Load from Apache Hadoop</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-query.html">Querying data</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-rollup.html">Roll-up</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-sketches-theta.html">Theta sketches</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-retention.html">Configuring data retention</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-update-data.html">Updating existing data</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-compaction.html">Compacting segments</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-delete-data.html">Deleting data</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-ingestion-spec.html">Writing an ingestion spec</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-transform-spec.html">Transforming input data</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/docker.html">Tutorial: Run with Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-kerberos-hadoop.html">Kerberized HDFS deep storage</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-msq-convert-spec.html">Convert ingestion spec to SQL</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/tutorials/tutorial-jupyter-index.html">Jupyter Notebook tutorials</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Design<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/architecture.html">Design</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/segments.html">Segments</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/processes.html">Processes and servers</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/dependencies/deep-storage.html">Deep storage</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/dependencies/metadata-storage.html">Metadata storage</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/dependencies/zookeeper.html">ZooKeeper</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Ingestion<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/index.html">Ingestion</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/data-formats.html">Data formats</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/data-model.html">Data model</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/rollup.html">Data rollup</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/partitioning.html">Partitioning</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/ingestion-spec.html">Ingestion spec</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/schema-design.html">Schema design tips</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Stream ingestion</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/kafka-ingestion.html">Apache Kafka ingestion</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/kafka-supervisor-reference.html">Apache Kafka supervisor</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/kafka-supervisor-operations.html">Apache Kafka operations</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/kinesis-ingestion.html">Amazon Kinesis</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Batch ingestion</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/native-batch.html">Native batch</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/native-batch-input-sources.html">Native batch: input sources</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/migrate-from-firehose.html">Migrate from firehose</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/hadoop.html">Hadoop-based</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">SQL-based ingestion ๐Ÿ†•</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/index.html">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/concepts.html">Key concepts</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/api.html">API</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/security.html">Security</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/examples.html">Examples</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/reference.html">Reference</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/multi-stage-query/known-issues.html">Known issues</a></li></ul></div><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/tasks.html">Task reference</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/faq.html">Troubleshooting FAQ</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Data management<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/data-management/index.html">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/data-management/update.html">Data updates</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/data-management/delete.html">Data deletion</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/data-management/schema-changes.html">Schema changes</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/data-management/compaction.html">Compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/data-management/automatic-compaction.html">Automatic compaction</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Querying<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Druid SQL</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql.html">Overview and syntax</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-data-types.html">SQL data types</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-operators.html">Operators</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-scalar.html">Scalar functions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-aggregations.html">Aggregation functions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-multivalue-string-functions.html">Multi-value string functions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-json-functions.html">JSON functions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-functions.html">All functions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-api.html">Druid SQL API</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-jdbc.html">JDBC driver API</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-query-context.html">SQL query context</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-metadata-tables.html">SQL metadata tables</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sql-translation.html">SQL query translation</a></li></ul></div><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/querying.html">Native queries</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/query-execution.html">Query execution</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/troubleshooting.html">Troubleshooting</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Concepts</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/datasource.html">Datasources</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/joins.html">Joins</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/lookups.html">Lookups</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/multi-value-dimensions.html">Multi-value dimensions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/nested-columns.html">Nested columns</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/multitenancy.html">Multitenancy</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/caching.html">Query caching</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/using-caching.html">Using query caching</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/query-context.html">Query context</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Native query types</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/timeseriesquery.html">Timeseries</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/topnquery.html">TopN</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/groupbyquery.html">GroupBy</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/scan-query.html">Scan</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/searchquery.html">Search</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/timeboundaryquery.html">TimeBoundary</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/segmentmetadataquery.html">SegmentMetadata</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/datasourcemetadataquery.html">DatasourceMetadata</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Native query components</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/filters.html">Filters</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/granularities.html">Granularities</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/dimensionspecs.html">Dimensions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/aggregations.html">Aggregations</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/post-aggregations.html">Post-aggregations</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/misc/math-expr.html">Expressions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/having.html">Having filters (groupBy)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/limitspec.html">Sorting and limiting (groupBy)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/topnmetricspec.html">Sorting (topN)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/sorting-orders.html">String comparators</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/virtual-columns.html">Virtual columns</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/geo.html">Spatial filters</a></li></ul></div></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Configuration<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/configuration/index.html">Configuration reference</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions.html">Extensions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/configuration/logging.html">Logging</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Operations<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/web-console.html">Web console</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/java.html">Java runtime</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Security</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/security-overview.html">Security overview</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/security-user-auth.html">User authentication and authorization</a></li><li class="navListItem navListItemActive"><a class="navItem" href="/docs/25.0.0/operations/auth-ldap.html">LDAP auth</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/password-provider.html">Password providers</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/dynamic-config-provider.html">Dynamic Config Providers</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/tls-support.html">TLS support</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Performance tuning</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/basic-cluster-tuning.html">Basic cluster tuning</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/segment-optimization.html">Segment size optimization</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/mixed-workloads.html">Mixed workloads</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/http-compression.html">HTTP compression</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/clean-metadata-store.html">Automated metadata cleanup</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Monitoring</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/request-logging.html">Request logging</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/metrics.html">Metrics</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/alerts.html">Alerts</a></li></ul></div><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/api-reference.html">API reference</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/high-availability.html">High availability</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/rolling-updates.html">Rolling updates</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/rule-configuration.html">Using rules to drop and retain data</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/other-hadoop.html">Working with different versions of Apache Hadoop</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Misc</h4><ul><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/dump-segment.html">dump-segment tool</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/reset-cluster.html">reset-cluster tool</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/insert-segment-to-db.html">insert-segment-to-db tool</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/pull-deps.html">pull-deps tool</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/deep-storage-migration.html">Deep storage migration</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/export-metadata.html">Export Metadata Tool</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/metadata-migration.html">Metadata Migration</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/use_sbt_to_build_fat_jar.html">Content for build.sbt</a></li></ul></div></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Development<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/overview.html">Developing on Druid</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/modules.html">Creating extensions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/javascript.html">JavaScript functionality</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/build.html">Build from source</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/versioning.html">Versioning</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/experimental.html">Experimental features</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Misc<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/misc/papers-and-talks.html">Papers</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Hidden<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/25.0.0/comparisons/druid-vs-elasticsearch.html">Apache Druid vs Elasticsearch</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/comparisons/druid-vs-key-value.html">Apache Druid vs. Key/Value Stores (HBase/Cassandra/OpenTSDB)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/comparisons/druid-vs-kudu.html">Apache Druid vs Kudu</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/comparisons/druid-vs-redshift.html">Apache Druid vs Redshift</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/comparisons/druid-vs-spark.html">Apache Druid vs Spark</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/comparisons/druid-vs-sql-on-hadoop.html">Apache Druid vs SQL-on-Hadoop</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/auth.html">Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/broker.html">Broker</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/coordinator.html">Coordinator Process</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/historical.html">Historical Process</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/indexer.html">Indexer Process</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/indexing-service.html">Indexing Service</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/middlemanager.html">MiddleManager Process</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/overlord.html">Overlord Process</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/router.html">Router Process</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/design/peons.html">Peons</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/approximate-histograms.html">Approximate Histogram aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/avro.html">Apache Avro</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/azure.html">Microsoft Azure</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/bloom-filter.html">Bloom Filter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/datasketches-extension.html">DataSketches extension</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/datasketches-hll.html">DataSketches HLL Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/datasketches-quantiles.html">DataSketches Quantiles Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/datasketches-theta.html">DataSketches Theta Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/datasketches-tuple.html">DataSketches Tuple Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/druid-basic-security.html">Basic Security</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/druid-kerberos.html">Kerberos</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/druid-lookups.html">Cached Lookup Module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/druid-ranger-security.html">Apache Ranger Security</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/google.html">Google Cloud Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/hdfs.html">HDFS</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/kafka-extraction-namespace.html">Apache Kafka Lookups</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/lookups-cached-global.html">Globally Cached Lookups</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/mysql.html">MySQL Metadata Store</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/orc.html">ORC Extension</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/druid-pac4j.html">Druid pac4j based Security extension</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/parquet.html">Apache Parquet Extension</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/postgresql.html">PostgreSQL Metadata Store</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/protobuf.html">Protobuf</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/s3.html">S3-compatible</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/simple-client-sslcontext.html">Simple SSLContext Provider Module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/stats.html">Stats aggregator</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/test-stats.html">Test Stats Aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/druid-aws-rds.html">Druid AWS RDS Module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-core/kubernetes.html">Kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/ambari-metrics-emitter.html">Ambari Metrics Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/cassandra.html">Apache Cassandra</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/cloudfiles.html">Rackspace Cloud Files</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/distinctcount.html">DistinctCount Aggregator</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/graphite.html">Graphite Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/influx.html">InfluxDB Line Protocol Parser</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/influxdb-emitter.html">InfluxDB Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/kafka-emitter.html">Kafka Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/materialized-view.html">Materialized View</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/momentsketch-quantiles.html">Moment Sketches for Approximate Quantiles module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/moving-average-query.html">Moving Average Query</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/opentsdb-emitter.html">OpenTSDB Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/redis-cache.html">Druid Redis Cache</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/sqlserver.html">Microsoft SQLServer</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/statsd.html">StatsD Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/tdigestsketch-quantiles.html">T-Digest Quantiles Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/thrift.html">Thrift</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/time-min-max.html">Timestamp Min/Max aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/gce-extensions.html">GCE Extensions</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/aliyun-oss.html">Aliyun OSS</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/development/extensions-contrib/prometheus.html">Prometheus Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/operations/kubernetes.html">kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/hll-old.html">Cardinality/HyperUnique aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/querying/select-query.html">Select</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/native-batch-firehose.html">Firehose (deprecated)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/native-batch-simple-task.html">Native batch (simple)</a></li><li class="navListItem"><a class="navItem" href="/docs/25.0.0/ingestion/standalone-realtime.html">Realtime Process</a></li></ul></div></div></section></div><script>
var coll = document.getElementsByClassName('collapsible');
var checkActiveCategory = true;
for (var i = 0; i < coll.length; i++) {
var links = coll[i].nextElementSibling.getElementsByTagName('*');
if (checkActiveCategory){
for (var j = 0; j < links.length; j++) {
if (links[j].classList.contains('navListItemActive')){
coll[i].nextElementSibling.classList.toggle('hide');
coll[i].childNodes[1].classList.toggle('rotate');
checkActiveCategory = false;
break;
}
}
}
coll[i].addEventListener('click', function() {
var arrow = this.childNodes[1];
arrow.classList.toggle('rotate');
var content = this.nextElementSibling;
content.classList.toggle('hide');
});
}
document.addEventListener('DOMContentLoaded', function() {
createToggler('#navToggler', '#docsNav', 'docsSliderActive');
createToggler('#tocToggler', 'body', 'tocActive');
var headings = document.querySelector('.toc-headings');
headings && headings.addEventListener('click', function(event) {
var el = event.target;
while(el !== headings){
if (el.tagName === 'A') {
document.body.classList.remove('tocActive');
break;
} else{
el = el.parentNode;
}
}
}, false);
function createToggler(togglerSelector, targetSelector, className) {
var toggler = document.querySelector(togglerSelector);
var target = document.querySelector(targetSelector);
if (!toggler) {
return;
}
toggler.onclick = function(event) {
event.preventDefault();
target.classList.toggle(className);
};
}
});
</script></nav></div><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/druid/edit/master/docs/operations/auth-ldap.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Configure LDAP authentication</h1></header><article><div><span><!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<p>You can use <a href="https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">Lightweight Directory Access Protocol (LDAP)</a> to secure access to Apache Druid. This topic describes how to set up Druid authentication and authorization with LDAP and LDAP over TLS (LDAPS). The examples on this page show the configuration for an Active Directory LDAP system.</p>
<p>The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to Druid roles and assign permissions to those roles. After you've completed this configuration you can optionally choose to enable LDAPS to make LDAP traffic confidential and secure.</p>
<h2><a class="anchor" aria-hidden="true" id="prerequisites"></a><a href="#prerequisites" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Prerequisites</h2>
<p>Before you start to configure LDAP for Druid, test your LDAP connection and perform a sample search.</p>
<h3><a class="anchor" aria-hidden="true" id="check-your-ldap-connection"></a><a href="#check-your-ldap-connection" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Check your LDAP connection</h3>
<p>Test your LDAP connection to verify it works with user credentials. Later in the process you <a href="#configure-druid-for-ldap-authentication">configure Druid for LDAP authentication</a> with this user as the <code>bindUser</code>.</p>
<p>The following example command tests the connection for the user <code>myuser@example.com</code>. Insert your LDAP server IP address. Modify the port number of your LDAP instance if it listens on a port other than <code>389</code>.</p>
<pre><code class="hljs css language-bash">ldapwhoami -vv -H ldap://ip_address:389 -D <span class="hljs-string">"myuser@example.com"</span> -W
</code></pre>
<p>Enter the password for the user when prompted and verify that the command succeeded. If it failed, check the following:</p>
<ul>
<li>Make sure you're using the correct port for your LDAP instance.</li>
<li>Check if a network firewall is preventing connections to the LDAP port.</li>
<li>Review your LDAP implementation details to see whether you need to specifically allow LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the allow list.</li>
</ul>
<h3><a class="anchor" aria-hidden="true" id="test-your-ldap-search"></a><a href="#test-your-ldap-search" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Test your LDAP search</h3>
<p>Once your LDAP connection is working, search for a user. For example, the following command searches for the user <code>myuser</code> in an Active Directory system. The <code>sAMAccountName</code> attribute is specific to Active Directory and contains the authenticated user identity:</p>
<pre><code class="hljs css language-bash">ldapsearch -x -W -H ldap://ip_address:389 -D <span class="hljs-string">"cn=admin,dc=example,dc=com"</span> -b <span class="hljs-string">"dc=example,dc=com"</span> <span class="hljs-string">"(sAMAccountName=myuser)"</span> +
</code></pre>
<p>The <code>memberOf</code> attribute in the results shows the groups the user belongs to. For example, the following response shows that the user is a member of the <code>mygroup</code> group:</p>
<pre><code class="hljs css language-bash">memberOf: cn=mygroup,ou=groups,dc=example,dc=com
</code></pre>
<p>You use this information to map the LDAP group to Druid roles in a later step.</p>
<blockquote>
<p>Druid uses the <code>memberOf</code> attribute to determine a group's membership using LDAP. If your LDAP server implementation doesn't include this attribute, you must complete some additional steps when you <a href="#map-ldap-groups-to-druid-roles">map LDAP groups to Druid roles</a>.</p>
</blockquote>
<h2><a class="anchor" aria-hidden="true" id="configure-druid-for-ldap-authentication"></a><a href="#configure-druid-for-ldap-authentication" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configure Druid for LDAP authentication</h2>
<p>To configure Druid to use LDAP authentication, follow these steps. See <a href="/docs/25.0.0/configuration/index.html">Configuration reference</a> for the location of the configuration files.</p>
<ol>
<li><p>Create a user in your LDAP system that you'll use both for internal communication with Druid and as the LDAP initial admin user. See <a href="/docs/25.0.0/operations/security-overview.html">Security overview</a> for more information.
In the example below, the LDAP user is <code>internal@example.com</code>.</p></li>
<li><p>Enable the <code>druid-basic-security</code> extension in the <code>common.runtime.properties</code> file.</p></li>
<li><p>In the <code>common.runtime.properties</code> file, add the following lines for LDAP properties and substitute the values for your own. See <a href="/docs/25.0.0/development/extensions-core/druid-basic-security.html#properties-for-ldap-user-authentication">Druid basic security</a> for details about these properties.</p>
<pre><code class="hljs"><span class="hljs-attr">druid.auth.authenticatorChain</span>=[<span class="hljs-string">"ldap"</span>]
<span class="hljs-attr">druid.auth.authenticator.ldap.type</span>=basic
<span class="hljs-attr">druid.auth.authenticator.ldap.enableCacheNotifications</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.type</span>=ldap
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.url</span>=ldap://ip_address:port
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.bindUser</span>=administrator@example.com
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.bindPassword</span>=adminpassword
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.baseDn</span>=dc=example,dc=com
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.userSearch</span>=(&amp;(sAMAccountName=%s)(objectClass=user))
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.userAttribute</span>=sAMAccountName
<span class="hljs-attr">druid.auth.authenticator.ldap.authorizerName</span>=ldapauth
<span class="hljs-attr">druid.escalator.type</span>=basic
<span class="hljs-attr">druid.escalator.internalClientUsername</span>=internal@example.com
<span class="hljs-attr">druid.escalator.internalClientPassword</span>=internaluserpassword
<span class="hljs-attr">druid.escalator.authorizerName</span>=ldapauth
<span class="hljs-attr">druid.auth.authorizers</span>=[<span class="hljs-string">"ldapauth"</span>]
<span class="hljs-attr">druid.auth.authorizer.ldapauth.type</span>=basic
<span class="hljs-attr">druid.auth.authorizer.ldapauth.initialAdminUser</span>=internal@example.com
<span class="hljs-attr">druid.auth.authorizer.ldapauth.initialAdminRole</span>=admin
<span class="hljs-attr">druid.auth.authorizer.ldapauth.roleProvider.type</span>=ldap
</code></pre>
<p>Note the following:</p>
<ul>
<li><code>bindUser</code>: A user for connecting to LDAP. This should be the same user you used to <a href="#test-your-ldap-search">test your LDAP search</a>.</li>
<li><code>userSearch</code>: Your LDAP search syntax.</li>
<li><code>userAttribute</code>: The user search attribute.</li>
<li><code>internal@example.com</code> is the LDAP user you created in step 1. In the example it serves as both the internal client user and the initial admin user.</li>
</ul>
<blockquote>
<p>In the above example, the <a href="/docs/25.0.0/development/extensions-core/druid-basic-security.html#escalator">Druid escalator</a> and LDAP initial admin user are set to the same user - <code>internal@example.com</code>. If the escalator is set to a different user, you must follow steps 4 and 5 to create the group mapping and allocate initial roles before the rest of the cluster can function.</p>
</blockquote></li>
<li><p>Save your group mapping to a JSON file. An example file <code>groupmap.json</code> looks like this:</p>
<pre><code class="hljs">{
<span class="hljs-attr">"name"</span>: <span class="hljs-string">"mygroupmap"</span>,
<span class="hljs-attr">"groupPattern"</span>: <span class="hljs-string">"CN=mygroup,CN=Users,DC=example,DC=com"</span>,
<span class="hljs-attr">"roles"</span>: [
<span class="hljs-string">"readRole"</span>
]
}
</code></pre>
<p>In the example, the LDAP group <code>mygroup</code> maps to Druid role <code>readRole</code> and the name of the mapping is <code>mygroupmap</code>.</p></li>
<li><p>Use the Druid API to create the group mapping and allocate initial roles according to your JSON file. The following example uses curl to create the mapping defined in <code>groupmap.json</code> for the LDAP group <code>mygroup</code>:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST -d @groupmap.json http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/mygroupmap
</code></pre></li>
<li><p>Check that the group mapping was created successfully. The following example request lists all group mappings:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u internal -X GET http:<span class="hljs-regexp">//</span>localhost:<span class="hljs-number">8081</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authorization/</span>db<span class="hljs-regexp">/ldapauth/g</span>roupMappings
</code></pre></li>
</ol>
<h2><a class="anchor" aria-hidden="true" id="map-ldap-groups-to-druid-roles"></a><a href="#map-ldap-groups-to-druid-roles" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Map LDAP groups to Druid roles</h2>
<p>Once you've completed the initial setup and mapping, you can map more LDAP groups to Druid roles. Members of an LDAP group get access to the permissions of the corresponding Druid role.</p>
<h3><a class="anchor" aria-hidden="true" id="create-a-druid-role"></a><a href="#create-a-druid-role" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Create a Druid role</h3>
<p>To create a Druid role, you can submit a POST request to the Coordinator process using the Druid REST API or you can use the Druid console.</p>
<p>The examples below use <code>localhost</code> as the Coordinator host and <code>8081</code> as the port. Amend these properties according to the details of your deployment.</p>
<p>Example request to create a role named <code>readRole</code>:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/roles/readRole
</code></pre>
<p>Check that Druid created the role successfully. The following example request lists all roles:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u internal -X GET http:<span class="hljs-regexp">//</span>localhost:<span class="hljs-number">8081</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authorization/</span>db<span class="hljs-regexp">/ldapauth/</span>roles
</code></pre>
<h3><a class="anchor" aria-hidden="true" id="add-permissions-to-the-druid-role"></a><a href="#add-permissions-to-the-druid-role" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Add permissions to the Druid role</h3>
<p>Once you have a Druid role you can add permissions to it. The following example adds read-only access to a <code>wikipedia</code> data source.</p>
<p>Given the following JSON in a file named <code>perm.json</code>:</p>
<pre><code class="hljs">[
{ <span class="hljs-attr">"resource"</span>: { <span class="hljs-attr">"name"</span>: <span class="hljs-string">"wikipedia"</span>, <span class="hljs-attr">"type"</span>: <span class="hljs-string">"DATASOURCE"</span> }, <span class="hljs-attr">"action"</span>: <span class="hljs-string">"READ"</span> },
{ <span class="hljs-attr">"resource"</span>: { <span class="hljs-attr">"name"</span>: <span class="hljs-string">".*"</span>, <span class="hljs-attr">"type"</span>: <span class="hljs-string">"STATE"</span> }, <span class="hljs-attr">"action"</span>: <span class="hljs-string">"READ"</span> },
{ <span class="hljs-attr">"resource"</span>: {<span class="hljs-attr">"name"</span>: <span class="hljs-string">".*"</span>, <span class="hljs-attr">"type"</span>: <span class="hljs-string">"CONFIG"</span>}, <span class="hljs-attr">"action"</span>: <span class="hljs-string">"READ"</span>}
]
</code></pre>
<p>The following request associates the permissions in the JSON file with the <code>readRole</code> role:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u internal -X POST -d@perm.json http:<span class="hljs-regexp">//</span>localhost:<span class="hljs-number">8081</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authorization/</span>db<span class="hljs-regexp">/ldapauth/</span>roles<span class="hljs-regexp">/readRole/</span>permissions
</code></pre>
<p>Druid users need the <code>STATE</code> and <code>CONFIG</code> permissions to view the data source in the Druid console. If you only want to assign querying permissions you can apply just the <code>READ</code> permission with the first line in the <code>perm.json</code> file.</p>
<p>You can also provide the data source name in the form of a regular expression. For example, to give access to all data sources starting with <code>wiki</code>, you would specify the data source name as <code>{ &quot;name&quot;: &quot;wiki.*&quot; }</code> .</p>
<h3><a class="anchor" aria-hidden="true" id="create-the-group-mapping"></a><a href="#create-the-group-mapping" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Create the group mapping</h3>
<p>You can now map an LDAP group to the Druid role. The following example request creates a mapping with name <code>mygroupmap</code>. It assumes that a group named <code>mygroup</code> exists in the directory.</p>
<pre><code class="hljs">{
<span class="hljs-attr">"name"</span>: <span class="hljs-string">"mygroupmap"</span>,
<span class="hljs-attr">"groupPattern"</span>: <span class="hljs-string">"CN=mygroup,CN=Users,DC=example,DC=com"</span>,
<span class="hljs-attr">"roles"</span>: [
<span class="hljs-string">"readRole"</span>
]
}
</code></pre>
<p>The following example request configures the mappingโ€”the role mapping is in the file <code>groupmap.json</code>. See <a href="#configure-druid-for-ldap-authentication">Configure Druid for LDAP authentication</a> for the contents of an example file.</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST -d @groupmap.json http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/mygroupmap
</code></pre>
<p>To check whether the group mapping was created successfully, the following request lists all group mappings:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u internal -X GET http:<span class="hljs-regexp">//</span>localhost:<span class="hljs-number">8081</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authorization/</span>db<span class="hljs-regexp">/ldapauth/g</span>roupMappings
</code></pre>
<p>The following example request returns the details of the <code>mygroupmap</code> group:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X <span class="hljs-keyword">GET</span> http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/mygroupmap
</code></pre>
<p>The following example request adds the role <code>queryRole</code> to the <code>mygroupmap</code> mapping:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/mygroup/roles/queryrole
</code></pre>
<h3><a class="anchor" aria-hidden="true" id="add-an-ldap-user-to-druid-and-assign-a-role"></a><a href="#add-an-ldap-user-to-druid-and-assign-a-role" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Add an LDAP user to Druid and assign a role</h3>
<p>You only need to complete this step if:</p>
<ul>
<li>Your LDAP user doesn't belong to any of your LDAP groups, or</li>
<li>You want to configure a user with additional Druid roles that are not mapped to the LDAP groups that the user belongs to.</li>
</ul>
<p>Example request to add the LDAP user <code>myuser</code> to Druid:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u <span class="hljs-keyword">internal</span> -X POST http:<span class="hljs-comment">//localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser </span>
</code></pre>
<p>Example request to assign the <code>myuser</code> user to the <code>queryRole</code> role:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u <span class="hljs-keyword">internal</span> -X POST http:<span class="hljs-comment">//localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser/roles/queryRole</span>
</code></pre>
<h2><a class="anchor" aria-hidden="true" id="enable-ldap-over-tls-ldaps"></a><a href="#enable-ldap-over-tls-ldaps" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Enable LDAP over TLS (LDAPS)</h2>
<p>Once you've configured LDAP authentication in Druid, you can optionally make LDAP traffic confidential and secure by using Transport Layer Security (TLS)โ€”previously Secure Socket Layer(SSL)โ€”technology.</p>
<p>Configuring LDAPS establishes trust between Druid and the LDAP server.</p>
<h2><a class="anchor" aria-hidden="true" id="prerequisites-1"></a><a href="#prerequisites-1" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Prerequisites</h2>
<p>Before you start to set up LDAPS in Druid, you must <a href="#configure-druid-for-ldap-authentication">configure Druid for LDAP authentication</a>. You also need:</p>
<ul>
<li>A certificate issued by a public certificate authority (CA) or a self-signed certificate by an internal CA.</li>
<li>The root certificate for the CA that signed the certificate for the LDAP server. If you're using a common public CA, the certificate may already be in the Java truststore. Otherwise you need to import the certificate for the CA.</li>
</ul>
<h2><a class="anchor" aria-hidden="true" id="configure-druid-for-ldaps"></a><a href="#configure-druid-for-ldaps" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configure Druid for LDAPS</h2>
<p>Complete the following steps to set up LDAPS for Druid. See <a href="/docs/25.0.0/configuration/index.html">Configuration reference</a> for the location of the configuration files.</p>
<ol>
<li><p>Import the CA certificate for your LDAP server or a self-signed certificate into the truststore location saved as <code>druid.client.https.trustStorePath</code> in your <code>common.runtime.properties</code> file.</p>
<pre><code class="hljs">keytool -<span class="hljs-keyword">import</span> -trustcacerts -keystore <span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/cacerts -storepass truststorepassword -<span class="hljs-keyword">alias</span> aliasName -file <span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/certificate.cer
</code></pre>
<p>Replace <code>path/to/cacerts</code> with the path to your truststore, <code>truststorepassword</code> with your truststore password, <code>aliasName</code> with an alias name for the keystore, and <code>path/to/certificate.cer</code> with the location and name of your certificate. For example:</p>
<pre><code class="hljs">keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-<span class="hljs-number">8</span>.jdk/Contents/Home/jre/<span class="hljs-class"><span class="hljs-keyword">lib</span>/<span class="hljs-title">security</span>/<span class="hljs-title">cacerts</span> -<span class="hljs-title">storepass</span> <span class="hljs-title">mypassword</span> -<span class="hljs-title">alias</span> <span class="hljs-title">myAlias</span> -<span class="hljs-title">file</span> /<span class="hljs-title">etc</span>/<span class="hljs-title">ssl</span>/<span class="hljs-title">certs</span>/<span class="hljs-title">my</span>-<span class="hljs-title">certificate</span>.<span class="hljs-title">cer</span></span>
</code></pre></li>
<li><p>If the root certificate for the CA isn't already in the Java truststore, import it:</p>
<pre><code class="hljs">keytool -importcert -keystore <span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/cacerts -storepass truststorepassword -<span class="hljs-keyword">alias</span> aliasName -file <span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/certificate.cer
</code></pre>
<p>Replace <code>path/to/cacerts</code> with the path to your truststore, <code>truststorepassword</code> with your truststore password, <code>aliasName</code> with an alias name for the keystore, and <code>path/to/certificate.cer</code> with the location and name of your certificate. For example:</p>
<pre><code class="hljs">keytool -importcert -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-<span class="hljs-number">8</span>.jdk/Contents/Home/jre/<span class="hljs-class"><span class="hljs-keyword">lib</span>/<span class="hljs-title">security</span>/<span class="hljs-title">cacerts</span> -<span class="hljs-title">storepass</span> <span class="hljs-title">mypassword</span> -<span class="hljs-title">alias</span> <span class="hljs-title">myAlias</span> -<span class="hljs-title">file</span> /<span class="hljs-title">etc</span>/<span class="hljs-title">ssl</span>/<span class="hljs-title">certs</span>/<span class="hljs-title">my</span>-<span class="hljs-title">certificate</span>.<span class="hljs-title">cer</span></span>
</code></pre></li>
<li><p>In your <code>common.runtime.properties</code> file, add the following lines to the LDAP configuration section, substituting your own truststore path and password:</p>
<pre><code class="hljs">druid.auth.basic.ssl.trustStorePath=<span class="hljs-regexp">/Library/</span>Java/JavaVirtualMachines/adoptopenjdk-<span class="hljs-number">8</span>.jdk/Contents/Home/jre/<span class="hljs-class"><span class="hljs-keyword">lib</span>/<span class="hljs-title">security</span>/<span class="hljs-title">cacerts</span></span>
druid.auth.basic.ssl.protocol=TLS
druid.auth.basic.ssl.trustStorePassword=xxxxxx
</code></pre>
<p>See <a href="/docs/25.0.0/development/extensions-core/druid-basic-security.html#properties-for-ldaps">Druid basic security</a> for details about these properties.</p></li>
<li><p>You can optionally configure additional LDAPS properties in the <code>common.runtime.properties</code> file. See <a href="/docs/25.0.0/development/extensions-core/druid-basic-security.html#properties-for-ldaps">Druid basic security</a> for more information.</p></li>
<li><p>Restart Druid.</p></li>
</ol>
<h2><a class="anchor" aria-hidden="true" id="troubleshooting-tips"></a><a href="#troubleshooting-tips" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Troubleshooting tips</h2>
<p>The following are some ideas to help you troubleshoot issues with LDAP and LDAPS.</p>
<h3><a class="anchor" aria-hidden="true" id="check-the-coordinator-logs"></a><a href="#check-the-coordinator-logs" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Check the coordinator logs</h3>
<p>If your LDAP connection isn't working, check the coordinator logs. See <a href="/docs/25.0.0/configuration/logging.html">Logging</a> for details.</p>
<h3><a class="anchor" aria-hidden="true" id="check-the-druid-escalator-configuration"></a><a href="#check-the-druid-escalator-configuration" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Check the Druid escalator configuration</h3>
<p>If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the <a href="/docs/25.0.0/configuration/index.html">Configuration reference</a> for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator.</p>
<h3><a class="anchor" aria-hidden="true" id="check-your-ldap-server-response-time"></a><a href="#check-your-ldap-server-response-time" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Check your LDAP server response time</h3>
<p>If a user can log in to the Druid console but the landing page shows a 401 error, check your LDAP server response time. In a large organization with a high number of LDAP users, LDAP may be slow to respond, and this can result in a connection timeout.</p>
</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/25.0.0/operations/security-user-auth.html"><span class="arrow-prev">โ† </span><span>User authentication and authorization</span></a><a class="docs-next button" href="/docs/25.0.0/operations/password-provider.html"><span>Password providers</span><span class="arrow-next"> โ†’</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#prerequisites">Prerequisites</a><ul class="toc-headings"><li><a href="#check-your-ldap-connection">Check your LDAP connection</a></li><li><a href="#test-your-ldap-search">Test your LDAP search</a></li></ul></li><li><a href="#configure-druid-for-ldap-authentication">Configure Druid for LDAP authentication</a></li><li><a href="#map-ldap-groups-to-druid-roles">Map LDAP groups to Druid roles</a><ul class="toc-headings"><li><a href="#create-a-druid-role">Create a Druid role</a></li><li><a href="#add-permissions-to-the-druid-role">Add permissions to the Druid role</a></li><li><a href="#create-the-group-mapping">Create the group mapping</a></li><li><a href="#add-an-ldap-user-to-druid-and-assign-a-role">Add an LDAP user to Druid and assign a role</a></li></ul></li><li><a href="#enable-ldap-over-tls-ldaps">Enable LDAP over TLS (LDAPS)</a></li><li><a href="#prerequisites-1">Prerequisites</a></li><li><a href="#configure-druid-for-ldaps">Configure Druid for LDAPS</a></li><li><a href="#troubleshooting-tips">Troubleshooting tips</a><ul class="toc-headings"><li><a href="#check-the-coordinator-logs">Check the coordinator logs</a></li><li><a href="#check-the-druid-escalator-configuration">Check the Druid escalator configuration</a></li><li><a href="#check-your-ldap-server-response-time">Check your LDAP server response time</a></li></ul></li></ul></nav></div><footer class="nav-footer druid-footer" id="footer"><div class="container"><div class="text-center"><p><a href="/technology">Technology</a>โ€‚ยทโ€‚<a href="/use-cases">Use Cases</a>โ€‚ยทโ€‚<a href="/druid-powered">Powered by Druid</a>โ€‚ยทโ€‚<a href="/docs/25.0.0/">Docs</a>โ€‚ยทโ€‚<a href="/community/">Community</a>โ€‚ยทโ€‚<a href="/downloads.html">Download</a>โ€‚ยทโ€‚<a href="/faq">FAQ</a></p></div><div class="text-center"><a title="Join the user group" href="https://groups.google.com/forum/#!forum/druid-user" target="_blank"><span class="fa fa-comments"></span></a>โ€‚ยทโ€‚<a title="Follow Druid" href="https://twitter.com/druidio" target="_blank"><span class="fab fa-twitter"></span></a>โ€‚ยทโ€‚<a title="Download via Apache" href="https://www.apache.org/dyn/closer.cgi?path=/incubator/druid/{{ site.druid_versions[0].versions[0].version }}/apache-druid-{{ site.druid_versions[0].versions[0].version }}-bin.tar.gz" target="_blank"><span class="fas fa-feather"></span></a>โ€‚ยทโ€‚<a title="GitHub" href="https://github.com/apache/druid" target="_blank"><span class="fab fa-github"></span></a></div><div class="text-center license">Copyright ยฉ 2022 <a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a>.<br/>Except where otherwise noted, licensed under <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.<br/>Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></footer></div><script type="text/javascript" src="https://cdn.jsdelivr.net/npm/docsearch.js@2/dist/cdn/docsearch.min.js"></script><script>
document.addEventListener('keyup', function(e) {
if (e.target !== document.body) {
return;
}
// keyCode for '/' (slash)
if (e.keyCode === 191) {
const search = document.getElementById('search_input_react');
search && search.focus();
}
});
</script><script>
var search = docsearch({
appId: 'CPK9PMSCEY',
apiKey: 'd4ef4ffe3a2f0c7d1e34b062fd98736b',
indexName: 'apache_druid',
inputSelector: '#search_input_react',
algoliaOptions: {"facetFilters":["language:en","version:25.0.0"]}
});
</script></body></html>