Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # user >> Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup


Copy link to this message
-
Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup
you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <[EMAIL PROTECTED]> wrote:

>  Hi all,****
>
> ** **
>
> I have a setup using MIT Kerberos with OpenLDAP as the user database. It’s
> desired to use the same user database that holds all the kinit principal
> accounts for the identity store to be used for groups mapping provider via
> LdapGroupsMappingProvider. However, I found there’re 3 issues:****
>
> **1.       **For Kerberos principal object, there’re no appropriate
> attribute to determine the short name. As you know Hadoop uses short name
> in ACL rules.****
>
> **2.       **We know how to add a principal for user account, but how to
> add a group so that it allows to do ACL via group?****
>
> **3.       **Related to 2, no attribute for Kerberos principal object is
> found that can be used to determine the user’s groups.****
>
> I’m wondering if there’s something wrong in my setup. Any extra LDAP
> schema could be applied to allow all of these?****
>
> I think this case might not be supported but it makes sense in such setup
> to ease the deployment. Of course AD can be used for such consideration,
> but we might face existing deployment that uses MIT Kerberos and OpenLDAP.
> ****
>
> ** **
>
> Thanks for your help. ****
>
> ** **
>
> Regarding,****
>
> Kai****
>
> ** **
>