Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Service users in LDAP

Service users in LDAP

Explorer

Got a question about creating service users in our LDAP directory.

 

The last part of the CM5 guide to configuring LDAP here mentions that you need to "ensure all your services are registered users in LDAP."

 

Two questions;

 

1. Is there any scope for changing the names of some of these users?  Using Active Directory for LDAP and don't particularly want mapred, yarn, etc as users in AD - it doesn't fit in with the naming convention used for other services.  Presumably if I changed the users I'd also need to chown/chgrp a load of stuff in HDFS.

 

2. As an alternative to configuring CDH to use LDAP directly, are there any drawbacks to delegating to PAM on the local Linux box, which in turn is configured to resolve users against AD?

 

Thanks

 

2 REPLIES 2

Re: Service users in LDAP

Master Guru
Doing (1) is not supported today (within a secured cluster context). We also strongly recommend using a trust-setup involving a local MIT KDC (for service principals) and your AD (for other users). This setup is detailed at http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM5/latest/Configuring-Hadoop-Securit...

Re: Service users in LDAP

With CM 5.1, just released, you can also get CM to handle the service principles for you in the AD, avoiding the need for a local MIT KDC.

http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM5/latest/Configuring-Hadoop-Securit...
Don't have an account?
Coming from Hortonworks? Activate your account here