Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Integrate AD for User to Group mapping

Master Collaborator


 we would like to integrate an existing kerberized cluster using dedicated MIT KDC with a corporate AD for user to group mapping. For correct authorization in Sentry hadoop needs to map the user to group. 


The hadoop KDC is not connected/trusted with the org AD, hadoop MIT KDC has different REALM name (like PROD.CLOUDERA.NET) than AD (NICE.COMPANY.COM).


The goal is not PAM - so logging into linux with AD user and password, just the user/group mapping.


Is it possible to configure this setup? What are the options? I have read about Centrify Express but as far as I understood it maps completely everything to AD. So that would mean to migrate all the service principals from MIT KDC to AD - basically new cluster setup.  And thats not an option now.








You need to look into the LDAP based group mapping feature of Hadoop. I don't think you are going to like it though.

I always recommend integrating AD at the OS level. This can be done with Certify, QAS, SSSD, etc. You would need to set up a trust between the two Kerberos realms (MIT and AD); along with integrating AD at the OS level. Then the service principals can remain in the MIT KDC but the users will be in AD. The AD user accounts and groups will be available to the OS as if they are linux accounts which will be found and used by the default group mapping mechanism of Hadoop.

"However, this provider should only be used if the required groups reside exclusively in LDAP, and are not materialized on the Unix servers. "

"When you switch to LDAP as the group mapping provider, you must re-create these relationships within LDAP.'

New Contributor
As the previous post mentions, creating additional islands of identity and then trying to integrate becomes difficult and costly. The easiest/best solution is to join the cluster nodes to Active Directory directly and maintain all users and groups there. Your service principal accounts for cluster kerberization can also be stored in a sandbox OU and be entirely maintained by Cloudera Manager. There's no need to maintain a separate MIT realm, LDAP directory or even local accounts. Centrify Server Suite Standard/Enterprise Editions provide numerous advantages over other AD bridging tools that will be relevant to your deployment including integrated command authorization for least privilege, infinite Kerberos renewal, LDAP Proxy, session auditing, SAML authentication, two-factor authentication, privileged credential management and much more.

Master Collaborator

Hi MikeSzymczak,

is it possible to do that with Centrify Express as well? Join the nodes, configure the group mappings

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.