Hopsworks enterprise edition supports LDAP integration for user login.
LDAP integration can be configured from the cluster definition, by specifying the following attributes:
ldap:
enabled: true
group_mapping: "Directory Administrators->HOPS_ADMIN;IT People-> HOPS_USER"
user_id: "uid"
user_givenName: "givenName"
user_surname: "sn"
user_email: "mail"
user_search_filter: "uid=%s"
group_search_filter: "member=%d"
attr_binary: "java.naming.ldap.attributes.binary"
group_target: "cn"
dyn_group_target: "memberOf"
user_dn: ""
group_dn: ""
account_status: 2
jndilookupname: "dc=example,dc=com"
provider_url: "ldap://193.10.66.104:1389"
attr_binary_val: "entryUUID"
security_auth: "none"
security_principal: ""
security_credentials: ""
referral: "ignore"
additional_props: ""
An already deployed instance can be configured to connect to LDAP without the need of running Karamel/Chef. Administrators should create a new JNDI external resource in Payara. The name of the resource should be ldap/LdapResource. This can be done either through the Payara Web UI (as shown below) or though the asadmin binary from command line.
You should restart Hopsworks after you have create the resource. Run systemctl restart glassfish-domain1 to restart it.
Setting ldap_auth to True in the Hopsworks settings panel will make the LDAP configuration option appear in the Admin panel.
Clicking on the LDAP configuration option will lead you to the LDAP configuration panel. From there, administrators will be able to configure the LDAP connection as explained above.
After saving and restarting Hopsworks, users will be able to login using LDAP.
Using Expat there is the possibility of migrating existing local users and map them to LDAP users. Currently Expat only supports migrating Single Sign-On Kerberos users, but it can be easily extended to migrate LDAP users.
Even with LDAP enabled, users will still be able to register with their email addresses. It’s up to the administrators to enforce a LDAP-only account policy. Users registered with their email address will have to be activated manually by the administrators as described in User administration.