AD/LDAP Servers

Describes the differences between the internal OpenLDAP server in HPE Ezmeral Unified Analytics Software and external AD/LDAP servers. Also describes some of the server-related configuration options that you set during installation.

When you install HPE Ezmeral Unified Analytics Software, the configuration options vary depending on whether you use an external AD/LDAP (default and recommended) included with HPE Ezmeral Unified Analytics Software or the internal OpenLDAP server.

After installation, the designated administrator can sign in and grant users permission to access HPE Ezmeral Unified Analytics Software and assign roles. A user management operator running in HPE Ezmeral Unified Analytics Software sets up local resources for users, such as their user profile and workspace, and also enables access.

NOTE

SSO does not support applications that use AD/LDAP integration to validate credentials presented to an external service.
The AD/LDAP server supports access by PLAIN (unsecured) LDAP, LDAPS, or StartTLS. Do not use PLAIN LDAP in production. If using LDAPS or StartTLS, one or more custom certificates may be needed to validate the server certificate. See Working with Certs and the Truststore.

The following sections describe the differences between internal and external AD/LDAP servers:

External AD/LDAP Server

When you configure an external directory during installation, HPE Ezmeral Unified Analytics Software references the external AD/LDAP server and gets users from it.

When you sign in to HPE Ezmeral Unified Analytics Software, you can search for users, grant access, and assign roles.

HPE Ezmeral Unified Analytics Software has the following external AD/LDAP server requirements:

The AD/LDAP server must already exist.
The AD/LDAP server must be network-accessible to the deployed HPE Ezmeral Unified Analytics Software instance.
For AWS deployments, the AD/LDAP server must be accessible to the VPC where the HPE Ezmeral Unified Analytics Software instance runs.
The AD/LDAP server must contain user objects with the required attributes. Any addition, removal, or modification of users and their attributes must be done at the AD/LDAP server.
- The user objects on the external AD/LDAP server must have the following attributes:
  - Username
  - Fullname
  - UID
  - GID
  These attributes are required to federate users from the AD/LDAP server to Keycloak. User objects obtained from the direct AD/LDAP integration does not contain any role assignments and does not know which users are enabled to use HPE Ezmeral Unified Analytics Software.
The AD/LDAP server contains the Group GID attribute on the group objects.
NOTE
If the server is not Active Directory, you must specify the Group Name attribute for group objects.

When you configure the external AD/LDAP server during installation, you specify the following information:

How to contact the LDAP server.
How to bind to the server to find account information.
Truststore for validating the server certificate.
Information about how user objects are configured.

The following table lists and describes some of the AD/LDAP fields that you configure during installation:

Field	Description
Active Directory	If you do not select the Active Directory (AD) option, the possible schemas are more varied. You must enter additional information to properly describe the user and group objects.
Validation	The validation check boxes are for sanity checks before the installation starts and during the installation process. The validation can detect issues with the AD integration server before the installation is well underway. Only disable these options when running the installation container in an environment that cannot access AD.
Search Base DN	Must cover both user and group objects.
Security Protocol	If the security protocol is LDAPS or StartTLS, the server certificate will be validated. If the server certificate was signed by something other than a known public CA, a truststore must be provided. A truststore is a JKS file such as those created by the Java keytool utility. If a provided truststore is password protected, the truststore password must be supplied.
Username Attribute	Must contain the name of a user object attribute on the server that contains a username following some content rules: Syntax is like POSIX except that a username cannot begin or end with a dot or underscore. Can have capital letters, alphanumeric beginnings and endings, dots, dashes, and underscores, which are all valid for use within a 63-character limit. Usernames are case-insensitive. If a username is bob, this user can sign in as BOB, Bob, or bob. Regardless of how bob signs in, the username always displays in lowercase (bob).
Fullname Attribute	Must contain the name of a user object attribute on the server that contains the user's full name. This is typically the `name` attribute on AD servers or `cn` on OpenLDAP servers.
Email Attribute	If the admin performing the installation selects the Allow Login By Email Address option, users can sign in using their email address or username; otherwise, users can only sign in with their usernames. Even if you do not select the option Allow Login By Email Address, you can still specify an email attribute for users, and their email addresses (if available) will be discovered for display purposes. However, in this scenario, users will not be able to sign in to Unified Analytics using their email address. Each user must have a unique email address. This is typically the `mail` attribute on AD or OpenLDAP servers.
UID Attribute	The user object attribute that is expected to contain an integer user ID value.
GID Attribute	The user object attribute that is expected to contain the integer value for this user's primary group ID.
Group GID	The group object attribute that is expected to contain an integer group ID value.
Group Name	The group object attribute that is expected to contain the group name.
Default Admin User	Must identify a user that already exists on the server. The value specified here should be the value of the Username Attribute on that user object.

Internal OpenLDAP Server

You can select Use Internal LDAP Server during installation and configure an internal directory. In HPE Ezmeral Unified Analytics Software, the internal directory setup is an OpenLDAP server. Only use the internal directory for POCs and demos; do not use the internal directory in production.

If you opt to use the internal directory, during installation you specify the following information to create the administrator in the system:

username
full name
email
password

The administrator is the initial user that signs in to HPE Ezmeral Unified Analytics Software to add other users and perform administrative tasks. Adding users creates the internal user directory.

When you remove a user, the user can no longer access the HPE Ezmeral Unified Analytics Software cluster, and the system clears the local resources. See Adding and Removing Users.

HPE Ezmeral Unified Analytics Software 1.5 Documentation
Abstract	HPE Ezmeral Unified Analytics Software is a usage-based Software-as-a-Service (SaaS) model that operationalizes hybrid and multi-cloud modern analytical workloads through a simple user interface, easily installed and deployed in minutes. HPE Ezmeral Unified Analytics Software separates compute and storage for flexible, cost-efficient scalability to securely access data stored in multiple data platforms, enabling you to run traditional and advanced analytics workloads with open-source tools.
Published	November 2024
Edition	1.5.0