Recently, we came across a customer who wanted to setup a kerberized cluster but they do not have an active directory server in their infrastructure. Therefore, we needed to find a solution for LDAP + Kerberos cluster. After many trials, research and time constraint, we decided to use freeipa solution to provide LDAP + Kerberos server. We are glad with our choice since freeipa actually provides much more than we wish for.
Versions:
Cloudera Manager: 6.3
CDH: 6.2.1
IPA : 4.6.5
OS: RHEL 7.5
High level Steps:
Install ipa-server
Configure ipa-server using ipa-server-install
Create users and groups
Configure DNS Entries
Install ipa-client on CDH nodes
Configure ipa-client using ipa-client-install
Test (kinit, klist, kdestroy, etc)
Install ipa-server
This is straight forward as executing 'yum install ipa-server'
Configure ipa-server using ipa-server-install
Our experience Installing ipa-server was a bit bumpy to say the least. Our OS is RHEL 7.5 and we followed the documentation and various guides on the web. ipa-server-install could not finished successfully. It always stucked after "Done configuring directory server (dirsrv)." until it finally failed. We were unable to find a root cause, but after we upgrade to RHEL 7.7, it works.
Another issue we encountered was related to IPv6 which we normally turn off in CDH deployment. We needed to enable this temporarily while installing ipa-server.
Create users and groups
After ipa-server was configured successfully, it was time to test user and group creation. We opened the ipa UI and tried to login using user admin.
We got 'Unknown Error'. This error might be very specific to us since it was caused by our http port was configured to a non standard port (7280). This cause a problem during the login procedure. After we fix this issue by reverting to port 80, the user and group creation is smooth sailing.
Configure DNS Entries
We chose to use external DNS server for our installation. Therefore, we needed to configure the kerberos dns entry manually on our dns server.
This was quite a trial and error for us. We find the following the following resource is very helpful.
We needed to configure SRV and TXT record for later so that ipa-client is able to find the domain and the ipa-server.
Install ipa-client on CDH nodes
Again, this was very straight forward as executing 'yum install ipa-client'
Configure ipa-client using ipa-client-install
When we tried this step, we had not configured dns entries properly. We retried this step a few times (install, uninstall, repeat) until it finally was able to join successfuly.
Mainly, the problem we were having related to DNS.
Test (kinit, klist, kdestroy, id, etc)
Finally, after all the hardship, our test went quite smoothly. id, kinit, klist, kdestroy, generate keytab, kinit using keytab, all worked perfectly.
Summary
ipa-server provides a very rich functionality more than a typical OpenLDAP + MIT Kerberos manual installation. It integrates well with CM and CDH. A few take away that we learn during the setup are:
Use a dedicated host for ipa server if possible
Enable IPv6 if possible
Configure DNS properly
Configure NTP properly
Enable debug on ipa default.conf if needed
Use Verbose mode when executing ipa-server-install or ipa-client-install
Thanks to @freeipa team to provides a very good solution. I wondered why there were not much hype/news about freeipa.
The next article will be about how we configured ipa-replica and test the failover between ipa-server.
Comments