Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

With Ambari AD management is it possible to have user names prefixed automatically?

avatar
Super Collaborator
 
1 ACCEPTED SOLUTION

avatar

@hkropp - if you're talking about automatically prefixing all AD kerberos principal names that are created, it is possible.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_...

See 4.2.5.1g for some description on how specific LDAP attributes can be modified on creation for each of the principals (if necessary), and 4.2.1.8 on our default prefix which is the name of the cluster.

View solution in original post

4 REPLIES 4

avatar
Super Collaborator

If this is for a Kerborized cluster, you can create rules in the auth_to_local setting under the REALMS configuration section of the krb5.conf file. You would have to tinker with the Advanced krb5 configuration settings in Ambari to create and propogate the rules. The rules can use the incoming AD id and manipulate it as you need. The MIT documentation has a few examples at http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

avatar

@hkropp - if you're talking about automatically prefixing all AD kerberos principal names that are created, it is possible.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_...

See 4.2.5.1g for some description on how specific LDAP attributes can be modified on creation for each of the principals (if necessary), and 4.2.1.8 on our default prefix which is the name of the cluster.

avatar
Super Collaborator

What about CN or sAMAccount? As I understand they will be the same as principal name, or?

avatar

Each can be altered independently in the Attribute Template:

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_customizin...

When you run through the wizard you'll see the template and the CN, and sAMAccountName and where you have the opportunity to prepend, append, alter their values.