Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Configure Ambari to use LDAP Server

[Note]Note

Only if you are using LDAPS, and the LDAPS server certificate is signed by a trusted Certificate Authority, there is no need to import the certificate into Ambari so this section does not apply to you. If the LDAPS server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must import the certificate and create a keystore file. The following example creates a keystore file at /keys/ldaps-keystore.jks, but you can create it anywhere in the file system:

Run the LDAP setup command on the Ambari server and answer the prompts, using the information you collected above:

  1. mkdir /etc/ambari-server/keys

    where the keys directory does not exist, but should be created.

  2. $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/ambari-server/keys/ldaps-keystore.jks

  3. Set a password when prompted. You will use this during ambari-server setup-ldap.

ambari-server setup-ldap

  1. At the Primary URL* prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.

  2. At the Secondary URL* prompt, enter the secondary server URL and port. This value is optional.

  3. At the Use SSL* prompt, enter your selection. If using LDAPS, enter true.

  4. At the User object class* prompt, enter the object class that is used for users.

  5. At the User name attribute* prompt, enter your selection. The default value is uid.

  6. At the Group object class* prompt, enter the object class that is used for groups.

  7. At the Group name attribute* prompt, enter the attribute for group name.

  8. At the Group member attribute* prompt, enter the attribute for group membership.

  9. At the Distinguished name attribute* prompt, enter the attribute that is used for the distinguished name.

  10. At the Base DN* prompt, enter your selection.

  11. At the Referral method* prompt, enter to follow or ignore LDAP referrals.

  12. At the Bind anonymously* prompt, enter your selection.

  13. At the Manager DN* prompt, enter your selection if you have set bind.Anonymously to false.

  14. At the Enter the Manager Password* prompt, enter the password for your LDAP manager DN.

  15. If you set Use SSL* = true in step 3, the following prompt appears: Do you want to provide custom TrustStore for Ambari?

    Consider the following options and respond as appropriate.

    • More secure option: If using a self-signed certificate that you do not want imported to the existing JDK keystore, enter y.

      For example, you want this certificate used only by Ambari, not by any other applications run by JDK on the same host.

      If you choose this option, additional prompts appear. Respond to the additional prompts as follows:

      • At the TrustStore type prompt, enter jks.

      • At the Path to TrustStore file prompt, enter /keys/ldaps-keystore.jks (or the actual path to your keystore file).

      • At the Password for TrustStore prompt, enter the password that you defined for the keystore.

    • Less secure option: If using a self-signed certificate that you want to import and store in the existing, default JDK keystore, enter n.

      • Convert the SSL certificate to X.509 format, if necessary, by executing the following command:

        openssl x509 -in slapd.pem -out <slapd.crt>

        Where <slapd.crt> is the path to the X.509 certificate.

      • Import the SSL certificate to the existing keystore, for example the default jre certificates storage, using the following instruction:

        /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts

        Where Ambari is set up to use JDK 1.7. Therefore, the certificate must be imported in the JDK 7 keystore.

  16. Review your settings and if they are correct, select y.

  17. Start or restart the Server

    ambari-server restart

    The users you have just imported are initially granted the Ambari User privilege. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use Manage Ambari > Users > Edit. For instructions, see Managing Users and Groups.