Get Started


Ready to Get Started?

Download sandbox

How can we help you?

closeClose button
March 21, 2014
prev slideNext slide

Hadoop GroupMapping – LDAP Integration

LDAP provides a central source for maintaining users and groups within an enterprise. There are two ways to use LDAP groups within Hadoop. The first is to use OS level configuration to read LDAP groups. The second is to explicitly configure Hadoop to use LDAP-based group mapping.

Here is an overview of steps to configure Hadoop explicitly to use groups stored in LDAP.

  • Modify core-site.xml to point to LDAP for group mapping
  • Re-start HDFS NameNode & YARN ResourceManager
  • Verify LDAP based group mapping

Prerequisites: Access to LDAP and the connection details are available.

Step 1: Modify core-site.xml to point to LDAP for group mapping

Back up your core-site.xml before making modifications to it. Below is a sample configuration that needs to be added to core-site.xml. You will need to provide the value for the bind user, bind password and other properties specific to your LDAP and make sure object class, user & group filter match the values specified in your LDAP.


While group mapping configuration supports reading password from a file, in the above example relevant configuration is commented out due to this bug (HADOOP-10249) .

Step 2 : Re-start Hadoop

Follow the instructions in the Hortonworks Data Platform documentation to re-start HDFS NameNode & YARN ResourceManager.

Step 3: Verify LDAP group mapping

Run hdfs groups command. This command will fetch groups from LDAP for the current user. Note with LDAP group mapping configured, the hdfs permission can leverage groups defined in LDAP for access control


Since there are two ways in Hadoop to use groups in LDAP, a basic question is when to use each way. The OS based group mapping is a Linux/Unix method and won’t work on Windows. The explicit group mapping covered in this post will work on both Linux & Windows.

Let me know if you run into any issues with the steps in this post or have any comments on this post. In the next post I will cover configuring OS to read group information from LDAP.



  • The sample services.ldif file mentioned in Step1 is not accessible. Kindly make it available.

  • Can you provide me a sample sevices.ldif file for adding hadoop service accounts to LDAP?I need it little urgently as my task is based on the same?It would be great of you if u can provide me ASAP.

    And I have one more query. Should the value for “hadoop.security.group.mapping.ldap.bind.password” is LDAP Server authentication password ?

  • Can u provide a sample file for services.ldif file to ass hadoop user accounts to LDAP server.It would be very greatful of you as it require for task urgently.

  • To use LDAPS, you’ll also need to import the cert from the KDC into the default JDK keystore:

    keytool -importcert -file rootCA.pem -alias kdc -keystore /usr/java/jdk1.8.0_73/jre/lib/security/cacerts

    • Correction: Does LDAP authentication have similar LDAP principals to local user mapping mechanism like auth_to_local in Kerberos?

  • This setting is on core-site.xml file of HDFS.
    Does it provide group mapping functionality for authorization for other applications? Like Hive, HBase? Is the HDFS the only level where it was checked? How does it work?

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    If you have specific technical questions, please post them in the Forums

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>