使用 OpenLDAP 作为 Kerberos 的后端

使用 OpenLDAP 作为 Kerberos 的后端

我们希望整合现有的安全设置(Apache Knox,OpenLDAP,阿帕奇游骑兵) 与 Kerberos。因此,我通过一些博客了解到,我们可以使用 OpenLDAP 作为 Kerberos 数据库的后端。

但在以下几点上面临一些问题和困惑:

  1. 在将 LDAP 与 Kerberos 集成时,我无法使用 创建容器ou。它似乎只能与 一起使用cn

  2. 更改为后,cn我可以看到 Kerberos 正在与 OpenLDAP 通信并创建了容器和主体,但是当通过Apache Ambari,我收到了附加的错误。KDC 和 Sandbox 都在不同的服务器上。

KDC 服务器的主机名是kdcserver。注意:我可以telnet通过端口 749 访问 KDC 服务器。

附加错误消息krb5.conf和 LDAPldiff文件:

在此处输入图片描述

KRB5 会议

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
 ABC.COM = {
  kdc = kdcserver
  admin_server = kdcserver
  default_domain= kdcserver
  database_module = openldap_ldapconf
 }
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=kerberos,dc=abc,dc=com
ldap_kdc_dn = "cn=manager,dc=abc,dc=com"
ldap_kadmind_dn = "cn=manager,dc=abc,dc=com"
ldap_service_password_file = /etc/krb5.d/stash.keyfile
ldap_servers = ldap://kdcserver
ldap_conns_per_server = 5
}

LDAP ldiff

dn: dc=abc,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: abchadoop
dc: ABC

dn: ou=groups,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
description: LDAP Group

dn: ou=services,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: services

dn: cn=hcat,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hcat
userPassword: hcat-password

dn: cn=hdfs,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hdfs
userPassword: hdfs-password

dn: cn=yarn,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: yarn
userPassword: yarn-password

dn: cn=mapred,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: mapred
userPassword: mapred-password

dn: cn=hbase,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hbase
userPassword: hbase-password

dn: cn=zookeeper,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: zookeeper
userPassword: zookeeper-password

dn: cn=oozie,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: oozie
userPassword: oozie-password

dn: cn=hive,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hive
userPassword: hive-password

dn: cn=hcat,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hcat
member: cn=hcat,ou=services,dc=abc,dc=com

dn: cn=hdfs,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hdfs
member: cn=hdfs,ou=services,dc=abc,dc=com

dn: cn=yarn,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: yarn
member: cn=yarn,ou=services,dc=abc,dc=com

dn: cn=mapred,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: mapred
member: cn=mapred,ou=services,dc=abc,dc=com

dn: cn=hbase,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hbase
member: cn=hbase,ou=services,dc=abc,dc=com

dn: cn=zookeeper,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: zookeeper
member: cn=zookeeper,ou=services,dc=abc,dc=com

dn: cn=oozie,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: oozie
member: cn=oozie,ou=services,dc=abc,dc=com

dn: cn=hive,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hive
member: cn=hive,ou=services,dc=abc,dc=com

dn: cn=hadoop,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hadoop
member: cn=hcat,ou=services,dc=abc,dc=com
member: cn=hdfs,ou=services,dc=abc,dc=com
member: cn=yarn,ou=services,dc=abc,dc=com
member: cn=mapred,ou=services,dc=abc,dc=com
member: cn=hbase,ou=services,dc=abc,dc=com
member: cn=zookeeper,ou=services,dc=abc,dc=com
member: cn=oozie,ou=services,dc=abc,dc=com
member: cn=hive,ou=services,dc=abc,dc=com

dn: ou=temp,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: temp

dn: cn=kerberos,dc=abc,dc=com
objectClass: krbContainer
cn: kerberos

dn: cn=ABC.COM,cn=kerberos,dc=abc,dc=com
cn: ABC.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: dc=abc,dc=com

dn: krbPrincipalName=K/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 64
krbPrincipalName: K/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MG6gAwIBAaEDAgEBogMCAQGjAwIBAKRYMFYwVKAHMAWgAwIBAKFJMEegAwIBEq
 FABD4gACudDckNzjqfNLNduN5RERcEp/phS6+G/h0Wdup2/y+Y9bNOP0PMQdE3Fu6UJRKixPiMUPH59
 mprnoPpkQ==
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAkBAAEALWmiWg==
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAhMIAQAAAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

dn: krbPrincipalName=krbtgt/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 0
krbPrincipalName: krbtgt/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
 egAwIBEqFABD4gAHaAH+zsuGSt6J3isOKXez4Nu2LRShW6wreSizhdEyqxBO+3aJDXgLWi4WvWzc86F
 7wKyab1qt4ZwiQ16jBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAwYBS8GIaaJH4PQYo8FFMsA/GSNmv
 cjweFhdJq6NYs0mmJDJHiBIeKifNPP0wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAIfx7NqeVW0Qdj3
 VY3r7A/EWzE39RTeU4YfVvOiLLF7llwnmhVBOwxS6//+8VhfbLthC/CMwRKAHMAWgAwIBAKE5MDegAw
 IBF6EwBC4QAD/64qF/jbLScov2PillRnkUwTZZC9cWqs8g2YQMNlldaGMAo5pJyGTjxAWB
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAhMIAQAAAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 0
krbTicketFlags: 4
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
 egAwIBEqFABD4gAC2wcqF48ii/FgncQ0tCL1RoeKaJvzKduUG53bVCAVnQZgaKmD/7yU90fWLqXvw04
 0eaoGoOd3h7OUNVkjBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAaGRk0ddcEM5kHP48daKTkwOMSpA9
 OcEA5eIC8MkrTWvBCdfv051k1VlZmzcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAHfX7kKE1WMVjT6
 XO2fiGH2gKmHP2HIPohKSksmS/hkBlLT137bt4CEbkBftJO5UDBTts0IwRKAHMAWgAwIBAKE5MDegAw
 IBF6EwBC4QAPLSVWzkyPn9jsqVmqVjtNWE78Q7VlYKfzMmOLfbi75QwfUn4LdUiM5bt0dF
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAnQuQ09NAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 300
krbMaxRenewableAge: 0
krbTicketFlags: 8196
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
 egAwIBEqFABD4gAFX+BT8lg5ixjLNaj+a7CMoZ+XXNmiyo7Ts4ULJudMIorvAYqb6Dv6jmY3fH1vXpM
 2sfzClzYPrHB7KTHjBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAA5mBHHHWdu2/OcdDqLMs68DohSYjs
 c6TyhN1YElOtMm6gJVhc5uwo2G5XK2UwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGyzwsAHmYL93eN
 8sPzWEvBXuFMrRuYg4DhFBthYCWPOdb6VRx9ZCbXdSp4RHZY/M1PtN2wwRKAHMAWgAwIBAKE5MDegAw
 IBF6EwBC4QAFdl8GPHWYz1wd1aqwH5PwdoQLxUOnyVTalDphHZsNnS7EOcTttENZGl32ks
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAnQuQ09NAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 0
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MG6gAwIBAaEDAgEBogMCAQGjAwIBAKRYMFYwVKAHMAWgAwIBAKFJMEegAwIBEq
 FABD4gAFY4hn8yhgHzwKY5TbObosMf9OWNXbo27WuB6fuFqbZsNZHTyaipRxXJhHv48pSRnf8BVlcdv
 8K+DTKBVQ==
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAnQuQ09NAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 0
krbTicketFlags: 4
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
 egAwIBEqFABD4gADyFdZ7JiK9Pba54oF0hbjGPYSBq6H+qnM+U8o1oZ33mZ1BAACqEQHOrAt8qDXZYY
 UWEfb5y8V6utGc3ejBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAJT06wv7xrB6z+3+o/wfaILDr2x4U
 piJbyfkNWEe1oNJZLjvE9UMIxnfn+wYwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADAgGFWbWOaeRFS
 zKcjTDJMJX4QXV1rCrZEYuE0hcaDTQjCoMXleLiD4uB0LtIqqyarCmOwwRKAHMAWgAwIBAKE5MDegAw
 IBF6EwBC4QADjw1CyXbfBBAxJqTkQrLDRwTtzDcJ8IqPVDmTGL1nzMOkNrWz7qlCJnCDkx
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAhMIAWlwYWw=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux

dn: krbPrincipalName=admin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbPrincipalName: admin/[email protected]
krbPrincipalKey:: MFagAwIBAaEDAgEBogMCAQGjAwIBAaRAMD4wPKAHMAWgAwIBAKExMC+gAwIBAa
 EoBCYIAM4316dUizxrzzChKklYEj+jWWooaIE1pDuORugR4rbQH5DV+w==
krbLastPwdChange: 20180309155715Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
krbLoginFailedCount: 3
krbLastFailedAuth: 20180309155925Z
krbExtraData:: AALbrqJacm9vdC9hZG1pbkBTVENIRFAuQ09NAA==
krbExtraData:: AAgBAA==

dn: ou=people,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=ud_anwaar,ou=people,dc=abc,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: ud_anwaar
sn: ud_anwaar
uid: ud_anwaar
userPassword: abcd1234

相关内容