Community Articles

Find and share helpful community-sourced technical articles.
Cloudera Employee

Short Description:

Here is the steps to use OpenLDAP as Backend for Kerberos


This is tried for enabling security Kerberos for Cluster and tested with Ambari and HDP 2.6.5 (CENTOS 7)

1-Installation of OpenLDAP

yum install openldap-server openldap-clients

2-Kerberos use only LDAPS we have to configure SSL for Openldap (you can use OpenSSL I used to generate my certificates)

# mkdir /etc/openldap/cacerts ( Copy the root certificate and the certificate for OpendLdap server and the private keys)

# chown ldap:ldap /etc/opendlap/cacerts/*


3- Edit /etc/sysconfig/slapd and set :

SLAPD_URLS="ldapi:///  ldap:///   ldaps:///"


4- We have to import Root Certificate to Java Keystore of my server

keytool -importcert -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts -alias
RootCaLdap -trustcacerts -file cacert.crt

5- Edit /etc/openldap/slapd.d/cn\=config.ldif and set :

olcTLSCACertificatePath: /etc/openldap/cacerts/

olcTLSCertificateFile: /etc/openldap/cacerts/LDAP.pem

olcTLSCertificateKeyFile: /etc/openldap/cacerts/LDAP.key

6-Edit /etc/openldap/ldap.conf and set :

TLS_CACERTDIR      /etc/openldap/cacerts


TLS_REQCERT    allow

URI      ldaps://

BASE      dc=field,dc=hortonworks,dc=com

TLS_REQUIRE       never

7- Start OpenLdap

systemctl enable slapd

systemctl start slapd

8- Setup LDAP admin password

slappasswd -h {SSHA} -s  "yourpassword"



9- We need to update this file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif (DON'T CHANGE MANUALLY IT WILL CAUSE CHECKSUM ERRORS) we will create admin.ldif and run ldapmodify to make changes

# cat admin.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=field,dc=hortonworks,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=field,dc=hortonworks,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}/****************************************** (You copy here the password generated above)

Then run ldapmodify to make change

ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

Make a changes to /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif (Do not edit manually) file to restrict the monitor access only to ldap root (ldapadmin) user not to others.

cat monitor.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=field,dc=hortonworks,dc=com" read by * none
ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif

10 -Setup LDAP database

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*

Add the cosine and nis LDAP schemas.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Generate base.ldif file for your domain.

cat base.ldif



ldapadd -x -W -D "cn=ldapadm,dc=field,dc=hortonworks,dc=com" -f base.ldif

Enter LDAP Password:

adding new entry "dc=field,dc=hortonworks,dc=com"adding new entry "cn=ldapadm ,dc=field,dc=hortonworks,dc=com"

adding new entry "ou=Hadoop,dc=field,dc=hortonworks,dc=com"

adding new entry "ou=Group,dc=field,dc=hortonworks,dc=com"

adding new entry "ou=Hamid,dc=field,dc=hortonworks,dc=com"

ldapsearch -x -H 'ldaps://' -D "cn=ldapadm,dc=field,dc=hortonworks,dc=com" -W
Enter LDAP Password: 

# extended LDIF
# LDAPv3
# base <dc=field,dc=hortonworks,dc=com>
(default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
dn: dc=field,dc=hortonworks,dc=com
dc: field
objectClass: top
objectClass: domain
dn: cn=ldapadm,dc=field,dc=hortonworks,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=Hadoop,dc=field,dc=hortonworks,dc=com
objectClass: organizationalUnit
ou: Hadoop
dn: ou=Group,dc=field,dc=hortonworks,dc=com
objectClass: organizationalUnit
ou: Group
dn: ou=Hamid,dc=field,dc=hortonworks,dc=com
objectClass: organizationalUnit
ou: Hamid
search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5

11-Install Kerberos

yum install krb5-server krb5-server-ldap openldap-clients krb5-workstation

on all other nodes

yum install openldap-clients krb5-workstation

12-Load the Kerberos schema into OpenLdap

12-1-Preparing Kerberos.ldif

cp /usr/share/doc/krb5-server-ldap-1.15.1/kerberos.schema /etc/openldap/schema

touch /tmp/schema_convert.conf and add this lines

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/kerberos.schema
mkdir /tmp/ldif_output

slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output/ -n0 -s "cn{12}kerberos,cn=schema,cn=config" > /opt/cn=kerberos.ldif

12-2-Edit the generated /tmp/cn\=kerberos.ldif file :

dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos

And remove the following lines from the end of the file :


Load Kerberos schema to OpenLdap:

ldapmodify -Y EXTERNAL  -H ldapi:/// -f /tmp/cn\=kerberos.ldif

12-3-Add an index for Kerberos

 cat index.ldif

dn: olcDatabase={2}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub

ldapmodify -Y EXTERNAL  -H ldapi:/// -f index.ldif

13-Setup Krb5.conf

includedir /etc/krb5.conf.d/

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
udp_preference_limit = 1
default_ccache_name = FILE:/tmp/krb5cc_%{uid}

kdc =
admin_server =
database_module = openldap_ldapconf


pam = {
debug = false
ticket_lifetime = 3600
renew_lifetime = 3600
forwardable = true
krb4_convert = false

openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=kerberos,dc=field,dc=hortonworks,dc=com
ldap_kdc_dn = cn=manager,dc=field,dc=hortonworks,dc=com
ldap_kadmind_dn = cn=manager,dc=field,dc=hortonworks,dc=com
ldap_service_password_file = /etc/krb5.d/stash.keyfile
ldap_servers = ldapi:///ldap_conns_per_server = 5

14-Create the Kerberos subtree in LDAP

Populate the OpenLDAP with the base kerberos users:

krdb5_ldap_util -D cn=manager,dc=field,dc=hortonworks,dc=com create -subtrees cn=kerberos,dc=field,dc=hortonworks,dc=com -r FIELD.HORTONWORKS.COM -s -H ldaps://

15-Create the stash file containing the admin user password that had admin access to OpenLDAP

krdb5_ldap_util -D cn=manager,dc=field,dc=hortonworks,dc=com stashsrvpw -f /etc/krb5.d/stash.keyfile  cn=kerberos,dc=field,dc=hortonworks,dc=com 

Restart KDC and Kadmin

systemctl restart krb5kdc
systemctl restart kadmin

16-Prepare Kerberos for ambari

Create at KDC admin

kadmin.local -q "addprinc admin/admin"

Confirm that this admin principal had permissions in the KDC ACL

vim /var/kerberos/krb5kdc/kadm5.aclChange EXAMPLE.COM with your realm
systemctl restart krb5kdc
systemctl restart kadmin

16-Enbale Security for the Cluster





After Kerberization of the Cluster check with Ldapsearch if all the principal been created .


Test accessing HDFS




Hi @Hamid Zorgani,

Thanks a lot for the detailed information. It's really helpful.

I have couple of doubts could you please clarify,

1. Do we need to execute all steps in Ambari server? especially from step 1 to 10?

2. I have OpenLDAP installed already in my in cluster, even are also all steps mandatory?

Please let me know if you need any more information.


Manjunath P N

Cloudera Employee

Hi Manjunath,

You dont need to run all the steps on Ambari server. You can use even your own existing openldap. Just make sure you have the krb5.conf across all the machines. And if you have secure ldap make sure to import certificate to Ambari truststore i & || Java truststore of OS where ambari running. Thanks

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.
Version history
Last update:
‎09-16-2022 01:43 AM
Updated by:
Top Kudoed Authors