I am requesting a new feature be added to Cloudera Manager: suport for FreeIPA for KDC Type in addition to Active Directory and MIT KDC.
I have about a dozen customers who could use it right now (and more in the future). They either don't have AD, don't have LDAP, or don't want to try and extend either into AWS. FreeIPA lets me tie their users and credentials together similar to AD without the hasle of hacking together OpenLDAP and MIT Kerberos and without having to teach them how to do user management. I also get the option to do the one-way trust with their AD or even sync their user data.
Indeed this very feature is under discussion (internal Cloudera Jira OPSAPS-23451).
Until there is direct integration via Cloudera Manager, the current recommendation is to utilize the custom keytab retrieval script method outlined here:
I'll add your post to the Jira to log the request.
We have internally reviewed FreeIPA and started working with Red Hat.Interestingly enough FreeIPA is ultimately a collection of the things the original poster seemed to indicate were pain points. FreeIPA is a collection of tools including SSSD, OpenLDAP, and MIT Kerberos which are bundled together by Red Hat to create a directory service similar that provided by Active Directory.
This essentially means supporting the same core technologies we are already capable of supporting. However with that said the ipa-client presents additional challenges to cluster operations especially in environments with complex forest or domain topologies due to the way the client presents certain components of user and service identity. These challenges have presented both Red Hat and Cloudera with issues which are not easily addressed as they are affected by the way security is implemented across the entire hadoop eco-system.
At this point in time we are continuing to look at FreeIPA and methods we might use to support this system offically within our platform especially when the ipa-client is in use.
With that said I would however like to make it clear that it is possible to use FreeIPA without the ipa-client as the FreeIPA server is essentially an MIT KDC with LDAP Directory Services. It may also be possible to use FreeIPA and the ipa-client in cases where your forest or domain topology is exceptionally simple, that is to say you have no plans to provide access across domains or realms. In addition to that if you are a licensed customer you should discuss the use of FreeIPA with members of your services team before you attempt to use FreeIPA in any environment.
As a member of the FreeIPA community and a redhatter I would be very glad to help resolve this issue.
There are in fact were some challenges. I remember that one was related to the complications of how different components of the cluster located on the same node use kerberos. The other was related to how group membership is fetched. There was some not offucually supported tune up that was needed. So in general the default configuration that is provided by ipa-client needs to be tuned up to make things work.
Couple corrections to the post:
- FreeIPA uses 389DS not OpenLDAP for directory service
- FreeIPA (or Red Hat Identity Management - this is how the component is named) is capable of the complex trust setups and works very well with them. The challenge is the custom configuration that needs to happen to make all parts work.
- IdM is a part of RHEL and is supported by Red Hat so if/once integration and configuration is sorted out a joint solution can be supported by both communities and companies. If we want move forward on this please reach out to me. I am the right person for that.
I am looking forward towards a productive collaboration on this front.
I was at Cloudera's company conference (Elevate 19) this year and was excited to see that there is actual work being done to provide FreeIPA support in Cloudera Manager. Look closely at recent versions of the CM server. You may just find the integration scripts present alongside the AD versions. Unfortunately, the WebUI does not yet provide "FreeIPA" as an option. :-( I am assuming that that will happen "when it is ready."