1. Create 1 Linux VM (Sandbox), 2 Windows VMs
Use private IPs (10.1.0.x) to connect each other (means need to edit hosts file)2. Set up AD as a new Forest on one Windows (HDP.LOCALDOMAIN)
Add "Active Directory Domain Services" (shouldn't install AD CS at same time)Then when configure, select Add a new forest
3. Set up ldaps (AD CS Configuration)
Ref: http://gregtechnobabble.blogspot.in/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html- Open Server Manager
- Add roles and features
- Role-based or feature-based installation
- Tick "Active Directory Certificate Services" and required services
- Nothing to add in "Select features" page, so "Next" twice
- In Select role services, select "Certification Authority"
- In Confirm installation selections, tick "Restart the destination server ..."
- Install! and close
- In Server Manager, in the top right, should see the flag with a warning icon
- Click this, and select "Post-deployment Configuration", or click "AD CS"
- Click on "Configure Active Directory Certificate Services..."
- Check the credential which will be used to configure, then Next
- Tick "Certification Authority"
- Somehow can't click "Enterprise CA"
If you are not able to select “Enterprise CA”, add “Enterprise Admins” for your user. Then you will be able to select. - Root CA, and Next
- Create private key, Next
- Default (sha1), Next
- In "CA Name" page, review, Next.... until Confirmation page.
- Click Configure
- This shouldn't take long (a few seconds), then Close.
- Reboot
Export root CA certificate (to use in truststore/browser etc.)
- Start certsrv (Certification Authority console)
- Right click the server, then Properties
- From General tab, click "View Certificate" button
- From Details tab, click "Copy to File" button
確認:
ldapsearch -h 192.168.0.21 -D Hortonworks@hdp.localdomain -W -b 'DC=HDP,DC=LOCALDOMAIN' '(sAMAccountName=Hortonworks*)'ldapsearch -H ldaps://192.168.0.21:636 -D Hortonworks@hdp.localdomain -W -b 'DC=HDP,DC=LOCALDOMAIN' '(sAMAccountName=Hortonworks*)'
If you get certification error because of self-cert, AD is serving on LDAPS port.
4. Create a new container "hadoop"
ref: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Enable%20Kerberos%20in%20Ambari%20with%20Existing%20Active%20Directory参考:
https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45https://rms-digicert.ne.jp/howto/install/install_directory-ldap-2012.html
証明書の出力方法
openssl s_client -showcerts -connect 192.168.8.21:636
0 件のコメント:
コメントを投稿