Support Questions

Find answers, ask questions, and share your expertise

LDAPS requirement in AD-KDC

avatar
Explorer

Hi, While securing(Kerberos) a cluster for one of our customers using an existing AD, we observed that the AD is not configured with Secure LDAP (LDAPS). As specified in the link below, it states that LDAPS is recommended for setting up Kerberos with existing AD. At the customer end, the process of securing the LDAP is bound to multiple approvals and tests which might delay the setup.

Is it strictly recommended to have LDAPS before we secure the cluster? Are there any workarounds to continue with the setup with LDAP? Please let me know the probable issues that we might face if we follow the later.

LINK: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_use_an_exi...

Thanks for your time,

Krishna

1 ACCEPTED SOLUTION

avatar

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari.

If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed.

View solution in original post

3 REPLIES 3

avatar

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari.

If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed.

avatar
Explorer

Robert Levas,

Thank you for your inputs.

avatar

You are welcome. I am glad I could help.