IBM BigInsights

Configuring LDAP server authentication on Red Hat Enterprise Linux 6.5 and above

If you want to use LDAP authentication on RHEL 6.5 or above for your users and groups, you must configure your LDAP server before installing IBM® Open Platform with Apache Hadoop. You must complete this procedure on every node in your cluster.

Before you begin

You need the following information to complete this procedure. You can find this information in the ldap.conf file in the /etc/openldap directory.
  • LDAP server URI, such as ldap://10.0.0.1.
  • LDAP server search base, such as dc=example,dc=com.

Add users and user groups to your LDAP configuration. All users of Oozie services, zookeeper services, or monitoring services must belong to the Hadoop group. For more information about potential groups, see Users and groups for IBM Open Platform with Apache Hadoop.

To disable LDAP authentication, use the following command:
sudo /usr/bin/authconfig --disableldap --disableldapauth --ldapserver=ldap://your-ldap-server-name:port--ldapbasedn="dc=your-ldap-dc,dc=your-ldap-dc" --update

Procedure

  1. Install the following required packages.
    yum install authconfig
    
    yum install pam_ldap
    
    yum install openldap openldap-clients openldap-servers sssd
  2. Configure your OpenLDAP server.
    1. Change the directory to /etc/openldap/slapd.d/cn\=config. Then, update the olcDatabase\=\{2\}bdb.ldif parameter to point to the LDAP server config file. In the LDAP server config file modify the olcSuffix entry to identify your domain. For example, if your domain is example.com, then your suffix looks like the following example.
      olcSuffix  "dc=example,dc=com"
    2. Modify the olcRootDN entry to reflect the name of the privileged user who has unrestricted access to your OpenLDAP directory. For example, if the privileged user is ldapadmin and the domain is example.com, then your olcRootDN looks like the following example.
      olcRootDN  "cn=ldapadmin,dc=example,dc=com"
    3. Enter a password for your OpenLDAP server by using the olcRootPW parameter. Using a password provides the capability to configure, test, and correct your OpenLDAP system over your local network.
      olcRootPW password
      Alternatively, you can use the slappasswd command to generate an encrypted password that you can copy and paste into the slapd.conf file. The command prompts you to enter a password and then generates an encrypted password.
      Note: Some versions of SUSE do not support this feature.
    4. From the /etc/init.d directory, run the ldap script to start your OpenLDAP server.
      /etc/init.d/slapd start
  3. Configure the LDAP user stores and enable your machine to authenticate to your remote LDAP server. You must use the full LDAP URL for your LDAP server.
    /usr/sbin/authconfig --enableldapauth --ldapserver=ldap://ldap.example.com / 
      --ldapbasedn="dc=ibm,dc=com" --update
  4. Configure the LDAP client by using sssd.
    The sssd configuration is located at /etc/sssd/sssd.conf. Examples of sssd.conf:
    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = default
    
    [nss]
    filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
    
    [pam]
    
    [domain/default]
    auth_provider = ldap
    id_provider = ldap
    ldap_schema = rfc2307
    ldap_search_base = ou=im,dc=example,dc=com
    ldap_group_member = memberuid
    ldap_tls_reqcert = never
    ldap_id_use_start_tls = False
    chpass_provider = ldap
    ldap_uri = ldap://ldap.example.com:389/
    ldap_tls_cacertdir = /etc/openldap/cacerts
    entry_cache_timeout = 600
    ldap_network_timeout = 3
    #ldap_access_filter = (&(object)(object))
    ldap_default_bind_dn = cn=Manager,ou=im,dc=example,dc=com
    ldap_default_authtok_type = password
    ldap_default_authtok = YOUR_PASSWORD
    cache_credentials = True
    enumerate=true
    Note:
    • There are a very large number of LDAP calls made by a Hadoop cluster.
    • ALL IBM Open Platform with Apache Hadoop and IBM BigInsights® value-add service users can be local. Adding them to the filter users clause prevents any call to LDAP. For more information, see http://www-01.ibm.com/support/docview.wss?uid=swg21962541.
  5. Edit /etc/nsswitch.conf to make sure the account resolution is using sss.
    passwd: files sss
    shadow: files sss
    group: files sss
  6. From the /etc/init.d/sssd, run the sssd script to start your LDAP client.
    /etc/init.d/sssd start


Feedback