Using same password for kerberos and openldap

Question

We have a working structure for our hadop where openldap was used for authentication with below structure,along with ranger and knox.

openldap root:-

dn: dc=abchadoop,dc=com,dc=za

Subtree inside openldap like below:-

dn: ou=people,dc=abchadoop,dc=com,dc=za
dn: ou=groups,dc=abchadoop,dc=com,dc=za
dn: ou=services,dc=abchadoop,dc=com,dc=za

dn: cn=ud_devtest,ou=people,dc=abchadoop,dc=com,dc=za
dn: cn=hcat,ou=services,dc=abchadoop,dc=com,dc=za
dn: cn=hive_dev,ou=groups,dc=abchadoop,dc=com,dc=za

Now we integarted kerberos with openldap as backend(same server) as backend and then picture became dirty with lot of confusions. After adding kerberos , new entries are like below in openldap:-

openldap root:-
dn: dc=abchadoop,dc=com,dc=za

Subtree inside openldap like below:-

dn: ou=people,dc=abchadoop,dc=com,dc=za
dn: ou=groups,dc=abchadoop,dc=com,dc=za
dn: ou=services,dc=abchadoop,dc=com,dc=za

dn: cn=ud_devtest,ou=people,dc=abchadoop,dc=com,dc=za
dn: cn=hcat,ou=services,dc=abchadoop,dc=com,dc=za
dn: cn=hive_dev,ou=groups,dc=abchadoop,dc=com,dc=za


kerberos:-
dn: cn=kerberos,dc=abchadoop,dc=com,dc=za
dn: cn=ABCHDP.COM,cn=kerberos,dc=abchadoop,dc=com,dc=za
--
Hadoop kerberos principals
--

dn: krbPrincipalName=ud_dvjones@ABCHDP.COM,cn=ABCHDP.COM,cn=kerberos,dc=abchadoop,dc=com,dc=za
dn: krbPrincipalName=ud_devtest@ABCHDP.COM,cn=ABCHDP.COM,cn=kerberos,dc=abchadoop,dc=com,dc=za

now i have some further confusions :-

I have realm name as ABCHDP.COM instead of abchadoop.com.sa as in most of the example over internet uses(example.com as domain name and EXAMPLE.COM as realm name) it is mandatory to have same as for both openldap root and kerberos realm??

ud_devtest was already existing with password1 when openldap was created and after kerberos installation we created one more principal with same name but here we have give different password (password2) , is there any way to sync password??

Going forward where should i create users , ldap or kerberos ??

Can someone help me in understand.

Answer 1

Convention has is that a Kerberos realm will be the same as the domain, but capitalized. This is not a requirement, but it does help to avoid some confusion.

A kerberos principal can only have one password.
An ldap dn can have multiple userPassword entries each which point to a different kerberos principal for SASL passthrough authenication. However, I wouldn't recommend doing this.
If you mean that the ldap dn's userPassword attribute isn't currently set for sasl passthough, e.g. userPassword: {SASL}ud_devtest@ABCHDP.COM, then should change that. Be sure your saslauthd is configured correctly first.

Going forward you should create a user that is both ldap and kerberos. You can keep them in two seperate dns or combine them. Whichever makes the most sense for you. Combining would likely make use of kdb5_ldap_util modify -subtress ou=people,dc=abchadoop,dc=com,dc=za -r ABCHDP.COM and objectClass: krbPrincipalAux.