Mdthbs

Testing if os.path.exists with ArcPy?

When did game consoles begin including FPUs?

How does a permutation act on a string?

With today's technology, could iron be smelted at La Rinconada?

What do the "optional" resistor and capacitor do in this circuit?

Why would company (decision makers) wait for someone to retire, rather than lay them off, when their role is no longer needed?

Getting a similar picture (colours) on Manual Mode while using similar Auto Mode settings (T6 and 40D)

1970s short story about a famous hunter who is cloned and will die after three days?

Promotion comes with unexpected 24/7/365 on-call

What do you call the hair or body hair you trim off your body?

My bread in my bread maker rises and then falls down just after cooking starts

Why commonly or frequently used fonts sizes are even numbers like 10px, 12px, 16px, 24px, or 32px?

Using chord iii in a chord progression (major key)

Break long word (not long text!) in longtable cell

Variance and covariance inequality

What color to choose as "danger" if the main color of my app is red

What metal is most suitable for a ladder submerged in an underground water tank?

Network latencies between opposite ends of the Earth

Single word that parallels "Recent" when discussing the near future

Holding rent money for my friend which amounts to over $10k?

Were any of the books mentioned in this scene from the movie Hackers real?

Why is Drogon so much better in battle than Rhaegal and Viserion?

How to handle professionally if colleagues has referred his relative and asking to take easy while taking interview

It is as easy as A B C, Figure out U V C from the given relationship

How to connect Kerberos with multiple LDAP servers?

What's wrong with my AD/LDAP integration?Authenticating To Multiple LDAP ServersKerberos/LDAP login fails - remove Preauth?Allow username input sddm (LDAP/Kerberos)How can I run unattended processes as authenticated AD/LDAP users?PAM vs LDAP vs SSSD vs KerberosOnly bind user can connect to Postfix server using LDAPCentral user management with multiple servers with SSH keys, LDAP?ldap search is looking at wrong kerberos ticket

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

My actual task is to make our kerberized Hadoop cluster usable by all our teams.
Right now we have a very weird setup in our company:

1. The Hadoop cluster has a dedicated KDC (openSUSE Kerberos with LDAP
   backend)


2. We have a secondary LDAP listing, without KDC (with r/w permissions)


3. We have Microsoft AD with LDAP, both in read-only and according to security policy no cross-realm trust from AD to Hadoop Kerberos is allowed. The AD-LDAP is in read-only mode.

And now my task is to allow users of secondary LDAP and AD-LDAP to use Hadoop, thus the dedicated KDC must know them somehow.

What I am was thinking about:

• Maybe I can add the read-only LDAP directories as additional Kerberos backends?


• I can install additional Kerberos that would manage those LDAPs with additional realm (e.x. @LDAP & @ADLDAP or similar). And then create a cross-realm trust. However I have write permissions only on secondary LDAP, not the AD-LDAP, thus I see no way of adding the cross-realm trust that easily there.


• I could try to define some kind of name conversion, so that the ldapsearch allowed user would be seen as krbtgt/HADOOP@ADLDAP.

ldap active-directory kerberos hadoop

share|improve this question

edited Apr 23 '18 at 20:37

U880D

417516

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  After long research I have found some ways, how it might work. However all of them are not plausible. Either you are Kerberized or Not. With this my question becomes absolute.
  
  – Mihail Gershkovich
  Jul 6 '17 at 16:48
  

  
  
  
  

add a comment | 

1

My actual task is to make our kerberized Hadoop cluster usable by all our teams.
Right now we have a very weird setup in our company:

1. The Hadoop cluster has a dedicated KDC (openSUSE Kerberos with LDAP
   backend)


2. We have a secondary LDAP listing, without KDC (with r/w permissions)


3. We have Microsoft AD with LDAP, both in read-only and according to security policy no cross-realm trust from AD to Hadoop Kerberos is allowed. The AD-LDAP is in read-only mode.

And now my task is to allow users of secondary LDAP and AD-LDAP to use Hadoop, thus the dedicated KDC must know them somehow.

What I am was thinking about:

• Maybe I can add the read-only LDAP directories as additional Kerberos backends?


• I can install additional Kerberos that would manage those LDAPs with additional realm (e.x. @LDAP & @ADLDAP or similar). And then create a cross-realm trust. However I have write permissions only on secondary LDAP, not the AD-LDAP, thus I see no way of adding the cross-realm trust that easily there.


• I could try to define some kind of name conversion, so that the ldapsearch allowed user would be seen as krbtgt/HADOOP@ADLDAP.

ldap active-directory kerberos hadoop

share|improve this question

edited Apr 23 '18 at 20:37

U880D

417516

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  After long research I have found some ways, how it might work. However all of them are not plausible. Either you are Kerberized or Not. With this my question becomes absolute.
  
  – Mihail Gershkovich
  Jul 6 '17 at 16:48
  

  
  
  
  

add a comment | 

My actual task is to make our kerberized Hadoop cluster usable by all our teams.
Right now we have a very weird setup in our company:

1. The Hadoop cluster has a dedicated KDC (openSUSE Kerberos with LDAP
   backend)


2. We have a secondary LDAP listing, without KDC (with r/w permissions)


3. We have Microsoft AD with LDAP, both in read-only and according to security policy no cross-realm trust from AD to Hadoop Kerberos is allowed. The AD-LDAP is in read-only mode.

And now my task is to allow users of secondary LDAP and AD-LDAP to use Hadoop, thus the dedicated KDC must know them somehow.

What I am was thinking about:

• Maybe I can add the read-only LDAP directories as additional Kerberos backends?


• I can install additional Kerberos that would manage those LDAPs with additional realm (e.x. @LDAP & @ADLDAP or similar). And then create a cross-realm trust. However I have write permissions only on secondary LDAP, not the AD-LDAP, thus I see no way of adding the cross-realm trust that easily there.


• I could try to define some kind of name conversion, so that the ldapsearch allowed user would be seen as krbtgt/HADOOP@ADLDAP.

ldap active-directory kerberos hadoop

share|improve this question

edited Apr 23 '18 at 20:37

U880D

417516

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

share|improve this question

edited Apr 23 '18 at 20:37

U880D

417516

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

share|improve this question

edited Apr 23 '18 at 20:37

U880D

417516

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

edited Apr 23 '18 at 20:37

U880D

417516

edited Apr 23 '18 at 20:37

U880D

417516

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

asked Jun 29 '17 at 8:50

Mihail GershkovichMihail Gershkovich

314

1 Answer
1

active

oldest

votes

0

Sorry i've no answers for your questions...
But I would like to know if you can pointed me some documentation about 'openSUSE Kerberos with LDAP backend)', i googled for hours and don't find anything about doing this....

share|improve this answer

answered 19 mins ago

FredTFredT

1

New contributor

FredT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f374117%2fhow-to-connect-kerberos-with-multiple-ldap-servers%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Sorry i've no answers for your questions...
But I would like to know if you can pointed me some documentation about 'openSUSE Kerberos with LDAP backend)', i googled for hours and don't find anything about doing this....

share|improve this answer

answered 19 mins ago

FredTFredT

1

New contributor

FredT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

Sorry i've no answers for your questions...
But I would like to know if you can pointed me some documentation about 'openSUSE Kerberos with LDAP backend)', i googled for hours and don't find anything about doing this....

share|improve this answer

answered 19 mins ago

FredTFredT

1

New contributor

FredT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Sorry i've no answers for your questions...
But I would like to know if you can pointed me some documentation about 'openSUSE Kerberos with LDAP backend)', i googled for hours and don't find anything about doing this....

share|improve this answer

answered 19 mins ago

FredTFredT

1

New contributor

FredT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 19 mins ago

FredTFredT

1

New contributor

FredT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 19 mins ago

FredTFredT

1

New contributor

FredT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 19 mins ago

FredTFredT

1