Support Questions

hkropp · ‎09-29-2015

How is Active Directory configured to support LDAPS for the Ambari Kerberos wizard?

sroberts · ‎09-29-2015

As part of the process to Kerberize the cluster, Ambari must connect to the Active Directory environment using LDAPS to create the relevant Kerberos "principals". But LDAPS is not enabled by default in Active Directory.

To configure it and prepare the cluster hosts:

Enable LDAPS in ActiveDirectory (detailed by Microsoft)
Trust the AD certificate on the Linux hosts. Only needed if "self-signing" the certificate.

General steps for 2:

On the Windows host:
1. Server Manager -> Tools -> Certificate Authority
2. Action -> Properties
3. General Tab -> View Certificate -> Details -> Copy to File
4. Choose the format: "Base-64 encoded X.509 (.CER)"
5. Save as 'activedirectory.cer' (or whatever you like)
6. Open with Notepad -> Copy Contents
On all Linux hosts (RedHat/CentOS instructions. Ubuntu/SUSE would be similar)
1. Create /etc/pki/ca-trust/source/anchors/activedirectory.pem
2. Paste the contents of the certificate file above
3. Execute:
4. 1. ```
  sudo yum -y install ca-certificates
  sudo update-ca-trust force-enable
  sudo update-ca-trust extract
  sudo update-ca-trust check
```
5. (You can automate this as done here)

View solution in original post

skothari · ‎09-29-2015

LDAPS for Ambari is LDAP+SSL implementation between AD and Ambari server. This can be accomplished by importing self-signed/CA signed certificate of the AD server into the truststore of the ambari server or $JAVA_HOME/jre/lib/security/cacerts.

mmadan · ‎09-29-2015

You need to do this by importing certificates and running ambari-server setup-ldap command. There is an option to use ssl true or false

sroberts · ‎09-29-2015

LDAPS is not required for syncing Ambari users. The question is in regards to the Kerberos Wizard.

pcodding · ‎09-29-2015

Hey Guys - want to clarify this quickly. This step in the Kerberos Wizard is a pre-requisite to ensure that the Active Directory environment that you are planning to integrate with has secure LDAP in place. This is typically setup by Active Directory administrators as a means to protect the LDAP communication with SSL (typically on port 636). We require this because during the Kerberos enablement process, we create principals in Active Directory. As part of that process we generate and set a password for those principals. We can't create a user in Active Directory without LDAPS as that user's credentials would be sent over the wire in plain text.

1.) AD has to be configured for this

2.) As mentioned by previous posters we need to trust that certificate so we can connect to AD

vidanimegh · ‎01-26-2021

Hi @pcodding ,

Does the Ambari Server Host also need to present it's own SSL certificate to the AD server?

In case of multiple domain controllers, do we need to have separate SSL certificates from each of the domain controllers?

Thanks,

Megh

sroberts · ‎09-29-2015

As part of the process to Kerberize the cluster, Ambari must connect to the Active Directory environment using LDAPS to create the relevant Kerberos "principals". But LDAPS is not enabled by default in Active Directory.

To configure it and prepare the cluster hosts:

Enable LDAPS in ActiveDirectory (detailed by Microsoft)
Trust the AD certificate on the Linux hosts. Only needed if "self-signing" the certificate.

General steps for 2:

On the Windows host:
1. Server Manager -> Tools -> Certificate Authority
2. Action -> Properties
3. General Tab -> View Certificate -> Details -> Copy to File
4. Choose the format: "Base-64 encoded X.509 (.CER)"
5. Save as 'activedirectory.cer' (or whatever you like)
6. Open with Notepad -> Copy Contents
On all Linux hosts (RedHat/CentOS instructions. Ubuntu/SUSE would be similar)
1. Create /etc/pki/ca-trust/source/anchors/activedirectory.pem
2. Paste the contents of the certificate file above
3. Execute:
4. 1. ```
  sudo yum -y install ca-certificates
  sudo update-ca-trust force-enable
  sudo update-ca-trust extract
  sudo update-ca-trust check
```
5. (You can automate this as done here)

vidanimegh · ‎01-26-2021

Hi @sroberts ,

Does the Ambari Server Host also need to present it's own SSL certificate to the AD server?

In case of multiple domain controllers, do we need to have separate SSL certificates from each of the domain controllers?

Thanks,

Megh

abajwa · ‎09-29-2015

Here is a publicly accessible link with step by step screenshots on how to setup LDAPS, generating a certificate on AD and then importing on the Ambari node.

http://gregtechnobabble.blogspot.com/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

Once this is complete you can run through the Ambari security wizard and select the AD option and provide your detailed to enable kerberos

vidanimegh · ‎01-27-2021

Hi @abajwa,

Does the Ambari Server Host also need to present it's own SSL certificate to the AD server?

In case of multiple domain controllers, do we need to have separate SSL certificates from each of the domain controllers?

Thanks,

Megh

Cloudera Community

Support Questions

Ambari Kerberos Wizard: How to configure Active Directory LDAPS?