
우리는 기존 보안 설정을 통합하고 싶습니다(아파치 녹스, 오픈LDAP,아파치 레인저) Kerberos를 사용합니다. 그래서 저는 일부 블로그를 통해 OpenLDAP를 Kerberos 데이터베이스의 백엔드로 사용할 수 있다는 것을 이해했습니다.
그러나 아래 사항에 대한 몇 가지 문제와 혼란에 직면했습니다.
Kerberos와 LDAP를 통합하는 동안
ou
. ?cn
으로 변경한 후
cn
Kerberos가 OpenLDAP와 통신하고 컨테이너와 주체를 생성한 것을 볼 수 있지만 다음을 통해 연결할 때아파치 암바리, 첨부된 오류가 발생합니다. KDC와 Sandbox는 모두 다른 서버에 있습니다.
KDC 서버의 호스트 이름은 입니다 kdcserver
. 참고: telnet
포트 749를 통해 KDC 서버 에 연결할 수 있습니다 .
오류 메시지 krb5.conf
및 LDAP ldiff
파일 첨부:
KRB5 conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
ABC.COM = {
kdc = kdcserver
admin_server = kdcserver
default_domain= kdcserver
database_module = openldap_ldapconf
}
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=kerberos,dc=abc,dc=com
ldap_kdc_dn = "cn=manager,dc=abc,dc=com"
ldap_kadmind_dn = "cn=manager,dc=abc,dc=com"
ldap_service_password_file = /etc/krb5.d/stash.keyfile
ldap_servers = ldap://kdcserver
ldap_conns_per_server = 5
}
LDAP 식별자
dn: dc=abc,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: abchadoop
dc: ABC
dn: ou=groups,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
description: LDAP Group
dn: ou=services,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: services
dn: cn=hcat,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hcat
userPassword: hcat-password
dn: cn=hdfs,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hdfs
userPassword: hdfs-password
dn: cn=yarn,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: yarn
userPassword: yarn-password
dn: cn=mapred,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: mapred
userPassword: mapred-password
dn: cn=hbase,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hbase
userPassword: hbase-password
dn: cn=zookeeper,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: zookeeper
userPassword: zookeeper-password
dn: cn=oozie,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: oozie
userPassword: oozie-password
dn: cn=hive,ou=services,dc=abc,dc=com
objectClass: top
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: hive
userPassword: hive-password
dn: cn=hcat,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hcat
member: cn=hcat,ou=services,dc=abc,dc=com
dn: cn=hdfs,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hdfs
member: cn=hdfs,ou=services,dc=abc,dc=com
dn: cn=yarn,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: yarn
member: cn=yarn,ou=services,dc=abc,dc=com
dn: cn=mapred,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: mapred
member: cn=mapred,ou=services,dc=abc,dc=com
dn: cn=hbase,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hbase
member: cn=hbase,ou=services,dc=abc,dc=com
dn: cn=zookeeper,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: zookeeper
member: cn=zookeeper,ou=services,dc=abc,dc=com
dn: cn=oozie,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: oozie
member: cn=oozie,ou=services,dc=abc,dc=com
dn: cn=hive,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hive
member: cn=hive,ou=services,dc=abc,dc=com
dn: cn=hadoop,ou=groups,dc=abc,dc=com
objectClass: top
objectClass: groupOfNames
cn: hadoop
member: cn=hcat,ou=services,dc=abc,dc=com
member: cn=hdfs,ou=services,dc=abc,dc=com
member: cn=yarn,ou=services,dc=abc,dc=com
member: cn=mapred,ou=services,dc=abc,dc=com
member: cn=hbase,ou=services,dc=abc,dc=com
member: cn=zookeeper,ou=services,dc=abc,dc=com
member: cn=oozie,ou=services,dc=abc,dc=com
member: cn=hive,ou=services,dc=abc,dc=com
dn: ou=temp,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: temp
dn: cn=kerberos,dc=abc,dc=com
objectClass: krbContainer
cn: kerberos
dn: cn=ABC.COM,cn=kerberos,dc=abc,dc=com
cn: ABC.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: dc=abc,dc=com
dn: krbPrincipalName=K/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 64
krbPrincipalName: K/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MG6gAwIBAaEDAgEBogMCAQGjAwIBAKRYMFYwVKAHMAWgAwIBAKFJMEegAwIBEq
FABD4gACudDckNzjqfNLNduN5RERcEp/phS6+G/h0Wdup2/y+Y9bNOP0PMQdE3Fu6UJRKixPiMUPH59
mprnoPpkQ==
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAkBAAEALWmiWg==
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAhMIAQAAAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
dn: krbPrincipalName=krbtgt/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 0
krbPrincipalName: krbtgt/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
egAwIBEqFABD4gAHaAH+zsuGSt6J3isOKXez4Nu2LRShW6wreSizhdEyqxBO+3aJDXgLWi4WvWzc86F
7wKyab1qt4ZwiQ16jBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAwYBS8GIaaJH4PQYo8FFMsA/GSNmv
cjweFhdJq6NYs0mmJDJHiBIeKifNPP0wTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAIfx7NqeVW0Qdj3
VY3r7A/EWzE39RTeU4YfVvOiLLF7llwnmhVBOwxS6//+8VhfbLthC/CMwRKAHMAWgAwIBAKE5MDegAw
IBF6EwBC4QAD/64qF/jbLScov2PillRnkUwTZZC9cWqs8g2YQMNlldaGMAo5pJyGTjxAWB
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAhMIAQAAAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 0
krbTicketFlags: 4
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
egAwIBEqFABD4gAC2wcqF48ii/FgncQ0tCL1RoeKaJvzKduUG53bVCAVnQZgaKmD/7yU90fWLqXvw04
0eaoGoOd3h7OUNVkjBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAaGRk0ddcEM5kHP48daKTkwOMSpA9
OcEA5eIC8MkrTWvBCdfv051k1VlZmzcwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAHfX7kKE1WMVjT6
XO2fiGH2gKmHP2HIPohKSksmS/hkBlLT137bt4CEbkBftJO5UDBTts0IwRKAHMAWgAwIBAKE5MDegAw
IBF6EwBC4QAPLSVWzkyPn9jsqVmqVjtNWE78Q7VlYKfzMmOLfbi75QwfUn4LdUiM5bt0dF
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAnQuQ09NAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 300
krbMaxRenewableAge: 0
krbTicketFlags: 8196
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
egAwIBEqFABD4gAFX+BT8lg5ixjLNaj+a7CMoZ+XXNmiyo7Ts4ULJudMIorvAYqb6Dv6jmY3fH1vXpM
2sfzClzYPrHB7KTHjBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAA5mBHHHWdu2/OcdDqLMs68DohSYjs
c6TyhN1YElOtMm6gJVhc5uwo2G5XK2UwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAGyzwsAHmYL93eN
8sPzWEvBXuFMrRuYg4DhFBthYCWPOdb6VRx9ZCbXdSp4RHZY/M1PtN2wwRKAHMAWgAwIBAKE5MDegAw
IBF6EwBC4QAFdl8GPHWYz1wd1aqwH5PwdoQLxUOnyVTalDphHZsNnS7EOcTttENZGl32ks
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAnQuQ09NAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 86400
krbMaxRenewableAge: 0
krbTicketFlags: 0
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MG6gAwIBAaEDAgEBogMCAQGjAwIBAKRYMFYwVKAHMAWgAwIBAKFJMEegAwIBEq
FABD4gAFY4hn8yhgHzwKY5TbObosMf9OWNXbo27WuB6fuFqbZsNZHTyaipRxXJhHv48pSRnf8BVlcdv
8K+DTKBVQ==
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAnQuQ09NAAA=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
dn: krbPrincipalName=kadmin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbLoginFailedCount: 0
krbMaxTicketLife: 10800
krbMaxRenewableAge: 0
krbTicketFlags: 4
krbPrincipalName: kadmin/[email protected]
krbPrincipalExpiration: 19700101000000Z
krbPrincipalKey:: MIIBTKADAgEBoQMCAQGiAwIBAaMDAgEApIIBNDCCATAwVKAHMAWgAwIBAKFJME
egAwIBEqFABD4gADyFdZ7JiK9Pba54oF0hbjGPYSBq6H+qnM+U8o1oZ33mZ1BAACqEQHOrAt8qDXZYY
UWEfb5y8V6utGc3ejBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAJT06wv7xrB6z+3+o/wfaILDr2x4U
piJbyfkNWEe1oNJZLjvE9UMIxnfn+wYwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYADAgGFWbWOaeRFS
zKcjTDJMJX4QXV1rCrZEYuE0hcaDTQjCoMXleLiD4uB0LtIqqyarCmOwwRKAHMAWgAwIBAKE5MDegAw
IBF6EwBC4QADjw1CyXbfBBAxJqTkQrLDRwTtzDcJ8IqPVDmTGL1nzMOkNrWz7qlCJnCDkx
krbLastPwdChange: 19700101000000Z
krbExtraData:: AAItaaJaZGJfY3JlYXRpb25AU1RDSERQLkNPTQA=
krbExtraData:: AAcBAAIAAhMIAWlwYWw=
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
dn: krbPrincipalName=admin/[email protected],cn=ABC.COM,cn=kerberos,dc=abc,dc=com
krbPrincipalName: admin/[email protected]
krbPrincipalKey:: MFagAwIBAaEDAgEBogMCAQGjAwIBAaRAMD4wPKAHMAWgAwIBAKExMC+gAwIBAa
EoBCYIAM4316dUizxrzzChKklYEj+jWWooaIE1pDuORugR4rbQH5DV+w==
krbLastPwdChange: 20180309155715Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
krbLoginFailedCount: 3
krbLastFailedAuth: 20180309155925Z
krbExtraData:: AALbrqJacm9vdC9hZG1pbkBTVENIRFAuQ09NAA==
krbExtraData:: AAgBAA==
dn: ou=people,dc=abc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
dn: cn=ud_anwaar,ou=people,dc=abc,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: ud_anwaar
sn: ud_anwaar
uid: ud_anwaar
userPassword: abcd1234