Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

It is possible Kerberos with LDAP (not LDAPs)

avatar
Contributor

Hello,

We have set Ambari and HDFS with LDAP and Ranger. But we need strong user authentication in Hadoop. So I guess I need to configure Kerberos.

I am a little afraid because we already have fairly stable system, and I don't want to break anything. So I am reading documentation first. I doubt one of the prerequisites: "Active Directory secure LDAP (LDAPS) connectivity has been configured. "

We have an external LDAP server but not with SSL (we don't have LDAPS). So, it will be possible to configure Kerberos with our own LDAP server?

Thanks in advance.

1 ACCEPTED SOLUTION

avatar

@Blanca Sanz

LDAPS is required when creating principals in an Active Directory. This is because Active Directory will not allow passwords to be set or changed over an insecure channel and Ambari needs to set or update passwords for accounts it manages while enabling Kerberos, regenerating keytab files, or disabling Kerberos.

If you are not using and Active Directory as your KDC and LDAP server, then this should not be an issue. For example if your KDC is an MIT KDC and your LDAP server is OpenLDAP. Then you are welcome to use LDAP or LDAPS when syncing users and authenticating with Ambari.

Also, if you are manually managing your Kerberos identities, than you can still sync Ambari with your Active Directory using LDAP or LDAPS. However you will be responsible for creating the needed accounts (aka principals) and distributing the keytab files.

View solution in original post

7 REPLIES 7

avatar

@Blanca Sanz

LDAPS is required when creating principals in an Active Directory. This is because Active Directory will not allow passwords to be set or changed over an insecure channel and Ambari needs to set or update passwords for accounts it manages while enabling Kerberos, regenerating keytab files, or disabling Kerberos.

If you are not using and Active Directory as your KDC and LDAP server, then this should not be an issue. For example if your KDC is an MIT KDC and your LDAP server is OpenLDAP. Then you are welcome to use LDAP or LDAPS when syncing users and authenticating with Ambari.

Also, if you are manually managing your Kerberos identities, than you can still sync Ambari with your Active Directory using LDAP or LDAPS. However you will be responsible for creating the needed accounts (aka principals) and distributing the keytab files.

avatar
Contributor

Thanks @Robert Levas

Let me see if I understand you correctly.. We don't have Active Directory. We only have OpenLDAP, so we don't need LDAPs.

So now that we want to install Kerberos, we only need to connect it with our own LDAP? Could you clarify the steps? Thanks

avatar

Ambari integrates with a KDC and an LDAP server separately. The KDC integration point is used to manage Kerberos Identities when enabling and disabling Kerberos. The LDAP integration point is used for authentication to use Ambari itself and its views.

In either case the KDC and LDAP server can be the same server (Active Directory, for example) or different servers (MIT KDC and OpenLDAP, for example).

In your case, with the separate servers, there is no need to integrate the two for Ambari. However, if you have other reasons to integrate them, I believe that there are ways to do this. I am not too familiar with setting this up. You might want to take at the MIT KDC documentation like http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/conf_ldap.html.

avatar
Contributor

Thanks @Robert Levas. My problem is that we have OpenLDAP but we don't have KDC. So I do not know if it would be better to install MIT KDC on the same server that we have OpenLDAP, or try to install and configurate Kerberos in the Ambari Server .

I think the following guidelines is for this case:

https://community.hortonworks.com/content/kbentry/29203/automated-kerberos-installation-and-configur...

avatar

@Blanca Sanz... Ambari does not care where the KDC lives. It is an external service like the LDAP server, so feel free to install it on the Ambari sever host, and host in the cluster, or any host not in the cluster but accessible via the network to the Ambari server host and the hosts in the cluster.

The "Automated Kerberos Installation and Configuration" article you are referring to walks through a scenario where a script performs all of the tasks for you. I don't think it is really a guideline - it is just a quick start process if that particular scenario suits your needs. However, if you choose to do so, using that script is not a bad idea.

If you choose to not use that script.. Once the KDC is installed and configured, you just need to run through the "Enable Kerberos Wizard" in Ambari. It asks you to fill in a few details about your KDC and then it does the rest of the work - this is not very different than how the script works except you will need to click a "Next" button every so often. The hard part is installing and configuring your KDC, which isn't all that hard but may become a bit more complicated if you want to integrate it with you OpenLDAP server.

I am sorry that I do not have a definite answer for you, but essentially the KDC configuration is specific to your infrastructure and needs and not really a one-size-fits-all thing. Though in the simple case, it can be - and that is what that "Automated Kerberos Installation and Configuration" article describes.

avatar
Rising Star

@Blanca Sanz I am agree with @Robert Levas

I will try to give your question answer, first of all as per my understanding you have LDAP server exists in your premises and that LDAP server integrated with the hadoop platform, now thing is that you want to configure strong authentication with this environment. The answer should be "YES" you can...

Please find below steps to configure OpenLDAP and Kerberos with hadoop platform

* LDAP server must be exist and configured with all nodes

* MIT kerberos server you have to install and configured with all nodes

* While client configuration you have to give both server information

* "authconfig-tui" under authentication configuration you have to select user information is LDAP and in authentication method add kerberos you can keep as it is other things except "use ldap authentication " (for more detail find attached jpeg image) ldap-and-kerberos-conf.jpg

* All required principals should be exists and placed on appropriate location

Note: Recommendation is always good to go for strong authentication if your cluster is stable.

avatar
Contributor
@Robert Levas many thanks! I had base errors.

Finally I have it clear. Now I only need to implement it 🙂