Summary
This article explains how Dremio populates user and group details from Active Directory (AD) or Azure Active Directory (Azure AD)/Microsoft Entra ID, configures cache expiration for LDAP permissions, and provides logging information for authentication with Azure AD or LDAP.
Reported Issue
Azure AD/Microsoft Entra ID users can experience problems logging into Dremio.
Overview
Dremio populates user details from AD (Azure AD/Microsoft Entra ID) only when a user first logs in. Groups are pulled into Dremio when they are first assigned privileges on an object (space, folder, etc.) in Dremio. This is referred to as a "lazy load" of users and groups, and Dremio does not proactively collect all groups or users.
Relevant Versions Tools and Integrations
This behaviour is relevant to all Dremio releases.
Steps to Resolve
To configure the cache expiration for LDAP permissions that Dremio uses, modify the web.auth.cache.expiration_minutes
support key. The default value is 24 hours (1440 minutes).
After changing the expiration time, you may need to restart Dremio or clear the caches using the API at https://docs.dremio.com/current/reference/api/ldap-authorization. If no username is specified, both user and group caches will be cleared.
Additional Resources
To better troubleshoot such issues, one may need to enable advanced logging for Azure AD authentication, by adding the following lines to the logback.xml
file and restart Dremio:
<logger name="com.dremio.extusr.azuread" level="debug" />
<logger name="com.dremio.extusr.oauth" level="debug" />
<logger name="com.dremio.services.credentials.AzureVaultCredentialsProvider" level="debug" />
For LDAP authentication, add the following lines to logback.xml
and restart Dremio:
<logger name="com.dremio.extusr.ExternalUserGroupService">
<level value="debug"/>
</logger>
<logger name="com.dremio.extusr.ldap.LdapUserProvider">
<level value="debug"/>
</logger>
The logs will show details about fetching entries and retrieving users, including the time taken for these operations.