Package org.apache.hadoop.security

Class LdapGroupsMapping

java.lang.Object
org.apache.hadoop.security.LdapGroupsMapping
All Implemented Interfaces:
Configurable, GroupMappingServiceProvider
Direct Known Subclasses:
RuleBasedLdapGroupsMapping
@LimitedPrivate({"HDFS","MapReduce"}) @Evolving public class LdapGroupsMapping extends Object implements GroupMappingServiceProvider, Configurable
An implementation of GroupMappingServiceProvider which connects directly to an LDAP server for determining group membership. This provider should be used only if it is necessary to map users to groups that reside exclusively in an Active Directory or LDAP installation. The common case for a Hadoop installation will be that LDAP users and groups materialized on the Unix servers, and for an installation like that, ShellBasedUnixGroupsMapping is preferred. However, in cases where those users and groups aren't materialized in Unix, but need to be used for access control, this class may be used to communicate directly with the LDAP server. It is important to note that resolving group mappings will incur network traffic, and may cause degraded performance, although user-group mappings will be cached via the infrastructure provided by Groups. This implementation does not support configurable search limits. If a filter is used for searching users or groups which returns more results than are allowed by the server, an exception will be thrown. The implementation attempts to resolve group hierarchies, to a configurable limit. If the limit is 0, in order to be considered a member of a group, the user must be an explicit member in LDAP. Otherwise, it will traverse the group hierarchy n levels up.