LDAP Authentication

    To enable LDAP authentication for Presto, configuration changes are made on the Presto coordinator. No changes are required to the worker configuration; only the communication from the clients to the coordinator is authenticated. However, if you want to secure the communication between Presto nodes with SSL/TLS configure Secure Internal Communication.

    Secure LDAP

    Presto requires Secure LDAP (LDAPS), so make sure you have TLS enabled on your LDAP server.

    TLS Configuration on Presto Coordinator

    You need to import the LDAP server’s TLS certificate to the default Java truststore of the Presto coordinator to secure TLS connection. You can use the following example keytool command to import the certificate , to the truststore on the coordinator.

    In addition to this, access to the Presto coordinator should be through HTTPS. You can do it by creating a on the coordinator.

    Presto Coordinator Node Configuration

    You must make the following changes to the environment prior to configuring the Presto coordinator to use LDAP authentication and HTTPS.

    You also need to make changes to the Presto configuration files. LDAP authentication is configured on the coordinator in two parts. The first part is to enable HTTPS support and password authentication in the coordinator’s config.properties file. The second part is to configure LDAP as the password authenticator plugin.

    Server Config Properties

    The following is an example of the required properties that need to be added to the coordinator’s config.properties file:

    1. http-server.authentication.type=PASSWORD
    3. http-server.https.enabled=true
    4. http-server.https.port=8443
    6. http-server.https.keystore.path=/etc/presto_keystore.jks

    Password Authenticator Configuration

    1. password-authenticator.name=ldap
    2. ldap.url=ldaps://ldap-server:636
    3. ldap.user-bind-pattern=<Refer below for usage>

    Based on the LDAP server implementation type, the property ldap.user-bind-pattern can be used as described below.

    Active Directory
    1. ldap.user-bind-pattern=${USER}@<domain_name_of_the_server>

    Example:

    OpenLDAP
    1. ldap.user-bind-pattern=uid=${USER},<distinguished_name_of_the_user>

    Example:

    1. ldap.user-bind-pattern=uid=${USER},OU=America,DC=corp,DC=example,DC=com

    Authorization based on LDAP Group Membership

    You can further restrict the set of users allowed to connect to the Presto coordinator based on their group membership by setting the optional ldap.group-auth-pattern and ldap.user-base-dn properties in addition to the basic LDAP authentication properties.

    Based on the LDAP server implementation type, the property ldap.group-auth-pattern can be used as described below.

    Active Directory
    1. ldap.group-auth-pattern=(&(objectClass=<objectclass_of_user>)(sAMAccountName=${USER})(memberof=<dn_of_the_authorized_group>))

    Example:

    OpenLDAP
    1. ldap.group-auth-pattern=(&(objectClass=<objectclass_of_user>)(uid=${USER})(memberof=<dn_of_the_authorized_group>))

    Example:

    1. ldap.group-auth-pattern=(&(objectClass=inetOrgPerson)(uid=${USER})(memberof=CN=AuthorizedGroup,OU=Asia,DC=corp,DC=example,DC=com))

    For OpenLDAP, for this query to work, make sure you enable the memberOf overlay.

    You can also use this property for scenarios where you want to authorize a user based on complex group authorization search queries. For example, if you want to authorize a user belonging to any one of multiple groups (in OpenLDAP), this property may be set as follows:

    1. ldap.group-auth-pattern=(&(|(memberOf=CN=normal_group,DC=corp,DC=com)(memberOf=CN=another_group,DC=com))(objectClass=inetOrgPerson)(uid=${USER}))

    TLS Configuration

    If you are using keystore file, it can be copied to the client machine and used for its TLS configuration. If you are using truststore, you can either use default java truststores or create a custom truststore on the CLI. We do not recommend using self-signed certificates in production.

    Presto CLI Execution

    In addition to the options that are required when connecting to a Presto coordinator that does not require LDAP authentication, invoking the CLI with LDAP support enabled requires a number of additional command line options. You can either use --keystore-* or properties to secure TLS connection. The simplest way to invoke the CLI is with a wrapper script.

    Verify the password for a keystore file and view its contents using .

    SSL Debugging for Presto CLI

    If you encounter any SSL related errors when running Presto CLI, you can run CLI using -Djavax.net.debug=ssl parameter for debugging. You should use the Presto CLI executable jar to enable this. Eg:

    1. java -Djavax.net.debug=ssl \
    2. -jar \
    3. presto-cli-<version>-executable.jar \
    4. --server https://coordinator:8443 \

    Common SSL errors

    java.security.cert.CertificateException: No subject alternative names present

    This error is seen when the Presto coordinator’s certificate is invalid and does not have the IP you provide in the --server argument of the CLI. You will have to regenerate the coordinator’s SSL certificate with the appropriate SAN added.