Posts: 22
Registered: ‎03-04-2014

Service users in LDAP

Got a question about creating service users in our LDAP directory.


The last part of the CM5 guide to configuring LDAP here mentions that you need to "ensure all your services are registered users in LDAP."


Two questions;


1. Is there any scope for changing the names of some of these users?  Using Active Directory for LDAP and don't particularly want mapred, yarn, etc as users in AD - it doesn't fit in with the naming convention used for other services.  Presumably if I changed the users I'd also need to chown/chgrp a load of stuff in HDFS.


2. As an alternative to configuring CDH to use LDAP directly, are there any drawbacks to delegating to PAM on the local Linux box, which in turn is configured to resolve users against AD?




Posts: 1,903
Kudos: 435
Solutions: 305
Registered: ‎07-31-2013

Re: Service users in LDAP

Doing (1) is not supported today (within a secured cluster context). We also strongly recommend using a trust-setup involving a local MIT KDC (for service principals) and your AD (for other users). This setup is detailed at
Cloudera Employee
Posts: 509
Registered: ‎07-30-2013

Re: Service users in LDAP

With CM 5.1, just released, you can also get CM to handle the service principles for you in the AD, avoiding the need for a local MIT KDC.