directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wu, James C." <>
Subject RE: S4U2Proxy and S4U2Self on ApacheDS
Date Mon, 13 May 2013 23:49:54 GMT

No, they are not. The first one is actually a job scheduled by cron. i.e.

 sudo  -u Foo
  hadoop my.jar

The second service is a Hadoop cluster secured using Kerberos.

You can see I would like to run the hadoop map/reduce jobs as user Foo. But I would try to
avoid handing the keytab management issues. If I can add some extra line of script between
the two lines to use a service principle's keytab and impersonate user Foo, it would be great.
Otherwise, everytime, there is a new user, Foo2, then I have to update the keytab file.



From: Marc Boorshtein []
Sent: Monday, May 13, 2013 4:19 PM
To: Apache Directory Developers List
Subject: RE: S4U2Proxy and S4U2Self on ApacheDS

Are these all web services?
On May 13, 2013 6:31 PM, "Wu, James C." <<>>
Thanks for the quick response. It seems I can't use these two protocols at the moment then.

So let me describe my situation and maybe someone will give me some hint.

I have a service A that will launch a bunch of jobs for its client. The jobs will interact
with a Kerberos secured service B. I was thinking about deploying a service principal for
A onto the host where A is running and have it impersonate its clients using S4U2Proxy and
S4U2Self protocols.

Since S4U2Proxy and S4U2Self is not yet working on ApacheDS, then the other option I can think
of is to deploy a key for each client of A onto the host where A is running. So A will request
Kerberos ticket for its client and use the ticket to access service B. The trouble is that
everytime I add a new client for A, I have to add a key entry into the keytab, which is a

Does anyone knows better way to do it?



From: Marc Boorshtein [<>]
Sent: Monday, May 13, 2013 3:23 PM
To: Apache Directory Developers List
Subject: Re: S4U2Proxy and S4U2Self on ApacheDS

I think that might have been me.  While I was able to generate the tickets, they were never
accepted by IIS (when ISA tickets were) so I gave up.  But I was more focussed on the client
APIs, not in having ApacheDS being a KDC.


On Mon, May 13, 2013 at 6:06 PM, Wu, James C. <<>>

Does anyone know if ApacheDS support this two protocols?  In 2010, someone mentioned about
trying to implement these protocols. Are the work done? If so, how can I test them?



View raw message