Configure Hadoop Kerberos to authenticate LDAP users

[Aneela Saleem <an...@platalytics.com>]

Hi all,

I have configured Kerberos on Hadoop cluster which successfully
authenticates users that reside in Kerberos database. Now i want to make
Hadoop Kerberos to authenticate LDAP users directly instead of local users.
I've been looking it for days but didn't find the correct direction. I
followed this
<http://web.mit.edu/kerberos/krb5-1.13/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu>
but
this only adds he principals to LDAP (i don't want this) but i just need to
authenticate already existing LDAP users while accessing Hadoop through
Kerberos. I also considered this
<http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/kerb-oneway-trust.html>
but
i don't know how to do this on my ubuntu machine. Suitable response and
guidance would be highly appreciated.

Thanks

RE: Configure Hadoop Kerberos to authenticate LDAP users

["Zheng, Kai" <ka...@intel.com>]

I don’t aware a clear solution for this if you use MIT Kerberos KDC or other Kerberos products, your problem isn’t related to Hadoop at all, your basic problem is how you make it to allow your LDAP users to authenticate via Kerberos, without account sync up between your LDAP and the KDC backend. If you can get this work, then your LDAP users can do kinit and then access Hadoop cluster normally.

So to solve the problem, according to what KDC is used, you may query the corresponding vendor, like MIT KDC. Particularly for MIT KDC, I don’t know it supports well to customize and plugin your own backend. The existing LDAP backend may imply some krb5 schema and at least you need to populate your LDAP entries to it.

For Apache Kerby, it also provides a KDC server and does support customizing your own backend implementation, say, against your existing LDAP server. That means, you provide an abstraction or bridge between the KDC server and your LDAP server.

Basically, the delegation or bridge abstraction for your LDAP may be work for you, depending on how it’s successful to do the mapping or how could you provide the basic and necessary information for the Kerberos logic by querying your LDAP entries. The basic ones are like: 1) how to determine the principal realm? Is it available in your LDAP database? 2) how to determine the encryption keys? Do you have password? If you do, it means you may need to transform password to Kerberos keys dynamically.

An ideal way could be like, your LDAP users are authenticated usually regardless of Kerberos. And the authenticated result could be represented in a token and the token can then be recognized by Kerberos KDC as credential (only doable in Kerby KDC), or the token could be used directly to access Hadoop cluster (long desired, but not possible at the moment).

Regards,
Kai

From: Aneela Saleem [mailto:aneela@platalytics.com]
Sent: Sunday, June 19, 2016 5:08 PM
To: user@hadoop.apache.org
Subject: Configure Hadoop Kerberos to authenticate LDAP users

Hi all,

I have configured Kerberos on Hadoop cluster which successfully authenticates users that reside in Kerberos database. Now i want to make Hadoop Kerberos to authenticate LDAP users directly instead of local users. I've been looking it for days but didn't find the correct direction. I followed this<http://web.mit.edu/kerberos/krb5-1.13/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu> but this only adds he principals to LDAP (i don't want this) but i just need to authenticate already existing LDAP users while accessing Hadoop through Kerberos. I also considered this<http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/kerb-oneway-trust.html> but i don't know how to do this on my ubuntu machine. Suitable response and guidance would be highly appreciated.

Thanks