I'm using CDH 4.5. I installed Impala manually (without Cloudera Manager). I've configured LDAP with Impala (using the instructions at http://www.cloudera.com/content/cloudera-content/cloudera-docs/Impala/latest/Installing-and-Using-Impala/ciiu_ldap.html).
I've added ldap_uri to the /etc/default/impala file. But how do I configure the ldap bind username?
With the current configuration, if I start impala shell, I am able to login using the ldap bind username. But how do I login using actual users from AD? I need to configure the ldap bind username and / or ldap password so that impala automatically connects using the bind username and when I start the impala shell, I can connect using actual user names.
Thanks.
Apparently we don't have to use the ldap bind name. I'm able to log in with user name as "someone#abc.com" where someone is the user name in AD and abc.com is the AD search base.
Related
When a user logs in to the (linux/unix) system as a user and runs a 4GL or ESQL/C program, the program can connect to a DB as the system account user without entering a password. e.g. If I login as rob and run a program it can connect to a DB without providing a password, providing rob has connect permission.
I would like to do a similar thing with a local java program that uses JDBC to talk to the DB server. Is this possible?
Yes, this is fully supported in the JDBC driver for Informix. You can connect without a password as the user who started the Java process that is on the same machine as the Informix server.
As Luis notes in his comment, you forego the username and password fields in your JDBC URL for this to work.
I am trying to connect to Hive using beeline on an EMR cluster (Kerberos enabled) and am wondering why I'd run a kinit (using my user account) and then the following:
beeline -u "jdbc:hive2://localhost:10000/default;principal=hive/_HOST#REALM"
The part that confuses me is the principal above. Why do we use "principal=hive/_HOST#REALM" (which from what I've read is the Hive service principal) when I've authenticated with my user account using the kinit in the previous command?
Will I be running queries against the Hive service principal or my user account? Do all users use the Hive service principal when using beeline? Is there any reason behind this?
Link for further context: Connecting to Hive via Beeline using Kerberos keytab
The principal= option on that JDBC URL actually refers to the service principal (SPN) i.e. what you need to connect to. It's admittedly ambiguous and confusing.
kinit authenticates your user principal (UPN), creating a "ticket-granting ticket" (TGT) which is dumped in the ticket cache.
Later the JDBC client (or HTTP client, or Hive Metastore Java client, or HDFS Java client, whatever) will use the TGT to request a service ticket for the appropriate service type on the appropriate host; for some reason Java never puts that service ticket in the cache (unlike curl or Python, which use a C library, like kinit).
SPNs are normally defined in Hadoop configuration files named ***-site.xml which are consumed by the Hadoop client libraries.
But... a JDBC driver is supposed to be stand-alone, not have dependencies on external libs or config files, and get all its connection params from the URL. That's why you have to stuff the SPN explicitly on your URL. Duh.
I have an existing Datastax Cassandra setup that is working. We just added authentication to the system and now we can log in with our AD accounts. This is very nice and certainly works. However applications need to use a hard-coded username/password in order to connect.
In SQL Server we were able to setup a user to run the service as and then it would connect and work through AD. However in Cassandra it is not the same.
If I don't want to include usernames and especially passwords in my app.config files what are my options?
You can use authentication via LDAP with DSE (Datastax Enterprise), so the authentication stage is done with LDAP instead of the internal authentication in DSE which you're using at the moment. Note that my comments here apply to DSE5.0 onwards but you can use LDAP auth with earlier versions of DSE from 4.6 onwards.
The documentation (link below) covers this. The basic steps are as follows:
Configure your authenticator in the cassandra.yaml to use the DSE authenticator
authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
Create an internal role in cassandra to map to the LDAP group(s) in your LDAP server using the CREATE ROLE command
Ensure all the users you need to use map to the relevant LDAP group (part of your LDAP config)
Configure your dse.yaml to have the correct settings for your LDAP server
Restart the DSE process for the settings to take effect
The following documentation gives some good examples and background information:
https://docs.datastax.com/en/latest-dse/datastax_enterprise/unifiedAuth/unifiedAuthConfig.html
https://docs.datastax.com/en/latest-dse/datastax_enterprise/sec/authLdapConfig.html
Note: when configuring the dse.yaml note the comment in the docs regarding user_search_filter:
When using Active Directory set the filter to (sAMAccountName={0})
I know simply a LDAP bind can do user password verification. But the thing is that an application server usually uses admin user (cn=Directory Manager) to do all CRUD operations.
By a simple bind operation, we have to create a ldap connection binds with that specific user's dn , which is annoying.
As I know ldapcompare is another alternative, but looks like OpenDJ ldapcompare can not compare plain-text-password(OpenDJ userPassword is encrypted).
But from some ldap browser(Apache LDAP Studio), there's a "Vefiry Password" which works very well.
Any idea ?
Using cn=DirectoryManager from an application server is a security issue, pretty much like running applications as root in the unix world.
Have you tried using the proxyAuth control?
Here are a few relevant links:
https://marginnotes2.wordpress.com/2011/06/28/opendj-proxy-auth/
https://idmdude.com/2015/03/28/opendj-and-the-fine-art-of-impersonation/
I have installed DB2 Express-C in my office machine. This machine does not allow me to create new account, so I installed DB2 using my local login account. Database installed successfully.
But when I try to connect to the database, it always says "Username/Password is invalid".
My local user account has appended with the domain name, for example: "INDDEV/Raghav"
"INDDEV" is the domain name, "Raghav" is my username.
I have tried all the possible combination, but am unable to connect
Please help me.
Thanks
The problem comes from your domain user. DB2 does not recognize by default domain users, thus your user cannot be authenticated. You can create a local user for you, OR you can use the instance user OR change the instance configuration to recognize domain users.