directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wu, James C." <James.C...@disney.com>
Subject RE: S4U2Proxy and S4U2Self on ApacheDS
Date Mon, 13 May 2013 23:49:54 GMT
Hi,

No, they are not. The first one is actually a job scheduled by cron. i.e.

 sudo  -u Foo
  hadoop my.jar

The second service is a Hadoop cluster secured using Kerberos.

You can see I would like to run the hadoop map/reduce jobs as user Foo. But I would try to
avoid handing the keytab management issues. If I can add some extra line of script between
the two lines to use a service principle's keytab and impersonate user Foo, it would be great.
Otherwise, everytime, there is a new user, Foo2, then I have to update the keytab file.

Regards,

James

From: Marc Boorshtein [mailto:mboorshtein@gmail.com]
Sent: Monday, May 13, 2013 4:19 PM
To: Apache Directory Developers List
Subject: RE: S4U2Proxy and S4U2Self on ApacheDS


Are these all web services?
On May 13, 2013 6:31 PM, "Wu, James C." <James.C.Wu@disney.com<mailto:James.C.Wu@disney.com>>
wrote:
Thanks for the quick response. It seems I can't use these two protocols at the moment then.

So let me describe my situation and maybe someone will give me some hint.

I have a service A that will launch a bunch of jobs for its client. The jobs will interact
with a Kerberos secured service B. I was thinking about deploying a service principal for
A onto the host where A is running and have it impersonate its clients using S4U2Proxy and
S4U2Self protocols.

Since S4U2Proxy and S4U2Self is not yet working on ApacheDS, then the other option I can think
of is to deploy a key for each client of A onto the host where A is running. So A will request
Kerberos ticket for its client and use the ticket to access service B. The trouble is that
everytime I add a new client for A, I have to add a key entry into the keytab, which is a
pain.

Does anyone knows better way to do it?

Regards,

james

From: Marc Boorshtein [mailto:mboorshtein@gmail.com<mailto:mboorshtein@gmail.com>]
Sent: Monday, May 13, 2013 3:23 PM
To: Apache Directory Developers List
Subject: Re: S4U2Proxy and S4U2Self on ApacheDS

I think that might have been me.  While I was able to generate the tickets, they were never
accepted by IIS (when ISA tickets were) so I gave up.  But I was more focussed on the client
APIs, not in having ApacheDS being a KDC.

Thanks
Marc

On Mon, May 13, 2013 at 6:06 PM, Wu, James C. <James.C.Wu@disney.com<mailto:James.C.Wu@disney.com>>
wrote:
Hi,

Does anyone know if ApacheDS support this two protocols?  In 2010, someone mentioned about
trying to implement these protocols. Are the work done? If so, how can I test them?

Regards,

James


Mime
View raw message