Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

SOLVED Go to solution
Highlighted

Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

Expert Contributor

How is Active Directory configured to support LDAPS for the Ambari Kerberos wizard?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

As part of the process to Kerberize the cluster, Ambari must connect to the Active Directory environment using LDAPS to create the relevant Kerberos "principals". But LDAPS is not enabled by default in Active Directory.

To configure it and prepare the cluster hosts:

  1. Enable LDAPS in ActiveDirectory (detailed by Microsoft)
  2. Trust the AD certificate on the Linux hosts. Only needed if "self-signing" the certificate.

General steps for 2:

  1. On the Windows host:
    1. Server Manager -> Tools -> Certificate Authority
    2. Action -> Properties
    3. General Tab -> View Certificate -> Details -> Copy to File
    4. Choose the format: "Base-64 encoded X.509 (.CER)"
    5. Save as 'activedirectory.cer' (or whatever you like)
    6. Open with Notepad -> Copy Contents
  2. On all Linux hosts (RedHat/CentOS instructions. Ubuntu/SUSE would be similar)
    1. Create /etc/pki/ca-trust/source/anchors/activedirectory.pem
    2. Paste the contents of the certificate file above
    3. Execute:
      1. sudo yum -y install ca-certificates
        sudo update-ca-trust force-enable
        sudo update-ca-trust extract
        sudo update-ca-trust check
        
    4. (You can automate this as done here)
6 REPLIES 6

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

New Contributor

LDAPS for Ambari is LDAP+SSL implementation between AD and Ambari server. This can be accomplished by importing self-signed/CA signed certificate of the AD server into the truststore of the ambari server or $JAVA_HOME/jre/lib/security/cacerts.

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

New Contributor

You need to do this by importing certificates and running ambari-server setup-ldap command. There is an option to use ssl true or false

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

LDAPS is not required for syncing Ambari users. The question is in regards to the Kerberos Wizard.

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

Guru

Hey Guys - want to clarify this quickly. This step in the Kerberos Wizard is a pre-requisite to ensure that the Active Directory environment that you are planning to integrate with has secure LDAP in place. This is typically setup by Active Directory administrators as a means to protect the LDAP communication with SSL (typically on port 636). We require this because during the Kerberos enablement process, we create principals in Active Directory. As part of that process we generate and set a password for those principals. We can't create a user in Active Directory without LDAPS as that user's credentials would be sent over the wire in plain text.

1.) AD has to be configured for this

2.) As mentioned by previous posters we need to trust that certificate so we can connect to AD

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

As part of the process to Kerberize the cluster, Ambari must connect to the Active Directory environment using LDAPS to create the relevant Kerberos "principals". But LDAPS is not enabled by default in Active Directory.

To configure it and prepare the cluster hosts:

  1. Enable LDAPS in ActiveDirectory (detailed by Microsoft)
  2. Trust the AD certificate on the Linux hosts. Only needed if "self-signing" the certificate.

General steps for 2:

  1. On the Windows host:
    1. Server Manager -> Tools -> Certificate Authority
    2. Action -> Properties
    3. General Tab -> View Certificate -> Details -> Copy to File
    4. Choose the format: "Base-64 encoded X.509 (.CER)"
    5. Save as 'activedirectory.cer' (or whatever you like)
    6. Open with Notepad -> Copy Contents
  2. On all Linux hosts (RedHat/CentOS instructions. Ubuntu/SUSE would be similar)
    1. Create /etc/pki/ca-trust/source/anchors/activedirectory.pem
    2. Paste the contents of the certificate file above
    3. Execute:
      1. sudo yum -y install ca-certificates
        sudo update-ca-trust force-enable
        sudo update-ca-trust extract
        sudo update-ca-trust check
        
    4. (You can automate this as done here)

Re: Ambari Kerberos Wizard: How to configure Active Directory LDAPS?

Here is a publicly accessible link with step by step screenshots on how to setup LDAPS, generating a certificate on AD and then importing on the Ambari node.

http://gregtechnobabble.blogspot.com/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

Once this is complete you can run through the Ambari security wizard and select the AD option and provide your detailed to enable kerberos