Kerberos with MS Active Directory

Olga Semme

Basic concepts used in Kerberos LDAP:

  • Active Directory — database and set of services that connect users to the necessary network resources.

  • LDAP server — hierarchical database, a directory service based on Active Directory, used for centralized storage of accounts. The credentials include the principals against which the user is validated in Kerberos.

  • LDAP — application layer protocol for accessing the Active Directory directory service, used in cluster kerberization to establish user principals.

  • LDAPS — LDAP activation using SSL/TLS protocol to create secure traffic. Creating passwords for ADS users with accounts in Active Directory during cluster kerberization is only possible using LDAPS.

  • Key Distribution Center — access control system component responsible for servicing user requests for access to resources by providing access tickets and session keys. It uses Active Directory as the account database.

  • DN (Distinguished Name) is an account in Active Directory. The DN must be unique within the tree. The DN describes the content of the attributes in the tree (navigation path) for accessing a particular entry.

    A DN consists of a series of RDN (Relative Distinguished Names) determined by moving up the tree in the direction of its root entry. RDNs are written from left to right.

    An example DN for a user used in this article:

    cn=admin-kafka,ou=kerberos,ou=adh,dc=ad,dc=ranger-test.

    The following RDNs are assigned to this entry:

    • cn — common name.

    • ou — organizational unit, a container in an Active Directory domain that can contain users, groups, and computers. An organizational unit can have multiple ou within it.

    • dc — parts of the domain name (domain component), represent the top of the LDAP tree, which uses DNS to determine its namespace. The notation for an Active Directory domain with a DNS name AD.RANGER-TEST is dc=ad,dc =ranger-test. The name AD.RANGER-TEST is also assigned to the realm that is being authenticated.

Prepare to run Active Directory on an ADS cluster

  1. Set up an Active Directory server (LDAP server).

  2. Create a user account to connect the cluster to LDAP-server using the LDAP protocol.

  3. Generate a certificate for the user by enabling LDAP over SSL using a third-party CA.

  4. Set a password for the account.

  5. Assign a user principal name to the account, for example, admin-kafka@AD.RANGER-TEST, and generate a keytab file with these principal and keys.

Run Active Directory on ADS cluster in the ADCM interface

  1. Make sure you know the necessary data to start Active Directory:

    • KDC hosts — address of the host where Key Distribution Center is installed, for AD kerberization this address is the same as the address of the LDAP server;

    • Realm — designation of realm for authentication in Kerberos;

    • Kadmin server — server for installing the Kerberos V5 administration system, for kerberization on AD this address is the same as the address of the LDAP server;

    • Kadmin principal — designation of the user principal created to connect the cluster to Active Directory;

    • Kadmin password — password for the user principal created to connect the cluster to Active Directory;

    • Admin DN — account in Active Directory for the user used to connect the cluster to Active Directory;

    • LDAP URL — LDAP server address;

    • Container DN — distinguished name ou, which will be the default location for cluster objects created during kerberization below the user described in Admin DN;

    • TLS CA certificate Path — path to the generated CA certificate for the Admin DN user (you can leave it blank, then ADCM will contact the LDAP server);

    • TLS CA certificate (optional) — the number of the created CA certificate for the user Admin DN (it is allowed not to specify, then ADCM will contact the LDAP server)

  2. Initiate enabling MS Active Directory for the selected cluster. To do this, apply the Manage Kerberos action by clicking on the actions default dark actions default light in the Actions column.

    Enabling Kerberos on the ADS cluster
    Enabling Kerberos on the ADS cluster

  3. Enable Existing Active Directory. To do this, you need to enable the eponymous switch in the window that opens.

    Enable Existing Active Directory
    Enable Existing Active Directory
    NOTE
    Enabling Existing Active Directory can be combined with the Custom kerberization settings option.

  4. Set the configuration parameters of the ADS cluster for MS Active Directory according to the values ​​set for the user in the LDAP directory and click Run.

    Configuring ADS Cluster for MS Active Directory
    Configuring ADS Cluster for MS Active Directory

  5. Wait for the Kerberos LDAP enablement to complete. Analyze and correct errors if they occur.

    LDAP installation process
    LDAP installation process
NOTE
LDAP authentication after running Manage Kerberos on the Kafka service is done according to Use Kerberos with MS Active Directory in Kafka.
Found a mistake? Seleсt text and press Ctrl+Enter to report it