Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

LDAPS requirement in AD-KDC

avatar
author-rank rkanchu
Explorer

Created ‎03-21-2016 01:26 PM

Hi, While securing(Kerberos) a cluster for one of our customers using an existing AD, we observed that the AD is not configured with Secure LDAP (LDAPS). As specified in the link below, it states that LDAPS is recommended for setting up Kerberos with existing AD. At the customer end, the process of securing the LDAP is bound to multiple approvals and tests which might delay the setup.

Is it strictly recommended to have LDAPS before we secure the cluster? Are there any workarounds to continue with the setup with LDAP? Please let me know the probable issues that we might face if we follow the later.

LINK: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_use_an_exi...

Thanks for your time,

Krishna

1,928 Views
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎03-21-2016 03:24 PM

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari.

If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed.

View solution in original post

1,710 Views
3 REPLIES 3

avatar
author-rank rlevas
Guru

Created ‎03-21-2016 03:24 PM

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari.

If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed.

1,711 Views

avatar
author-rank rkanchu
Explorer

Created ‎03-21-2016 04:23 PM

Robert Levas,

Thank you for your inputs.

1,710 Views

avatar
author-rank rlevas
Guru

Created ‎03-21-2016 04:32 PM

You are welcome. I am glad I could help.

1,710 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements