-Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup
Zheng, Kai 2013-06-28, 23:29
I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use the same user database that holds all the kinit principal accounts for the identity store to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're 3 issues:
1. For Kerberos principal object, there're no appropriate attribute to determine the short name. As you know Hadoop uses short name in ACL rules.
2. We know how to add a principal for user account, but how to add a group so that it allows to do ACL via group?
3. Related to 2, no attribute for Kerberos principal object is found that can be used to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment. Of course AD can be used for such consideration, but we might face existing deployment that uses MIT Kerberos and OpenLDAP.
Thanks for your help.