Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

LDAPS requirement in AD-KDC

Solved Go to solution
Highlighted

LDAPS requirement in AD-KDC

New Contributor

Hi, While securing(Kerberos) a cluster for one of our customers using an existing AD, we observed that the AD is not configured with Secure LDAP (LDAPS). As specified in the link below, it states that LDAPS is recommended for setting up Kerberos with existing AD. At the customer end, the process of securing the LDAP is bound to multiple approvals and tests which might delay the setup.

Is it strictly recommended to have LDAPS before we secure the cluster? Are there any workarounds to continue with the setup with LDAP? Please let me know the probable issues that we might face if we follow the later.

LINK: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_use_an_exi...

Thanks for your time,

Krishna

1 ACCEPTED SOLUTION

Accepted Solutions

Re: LDAPS requirement in AD-KDC

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari.

If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed.

3 REPLIES 3

Re: LDAPS requirement in AD-KDC

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari.

If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed.

Re: LDAPS requirement in AD-KDC

New Contributor

Robert Levas,

Thank you for your inputs.

Re: LDAPS requirement in AD-KDC

You are welcome. I am glad I could help.