This is documentation for MapR Version 5.0. You can also refer to MapR documentation for the latest release.

Skip to end of metadata
Go to start of metadata

MapR uses Pluggable Authentication Modules (PAM) for password verification in a variety of places. Make sure PAM is installed and configured on the node running the mapr-webserveror other components that will use PAM to verify passwords.

There are typically several PAM modules (profiles), configurable via configuration files in the /etc/pam.d/ directory. Any component verifying user passwords tries the following three profiles in order:

  1. sudo (/etc/pam.d/sudo)
  2. sshd (/etc/pam.d/sshd)
  3. mapr-admin (If you have created the /etc/pam.d/mapr-admin profile and the component checks beyond the first two profiles.)

The profile configuration file (for example, /etc/pam.d/sudo) should contain an entry corresponding to the authentication scheme used by your system. For example, if you are using the simplest form of local OS authentication, check for an entry similar to the following - consult with your Unix system administrator if you are uncertain:

Configuring PAM to Use LDAP

To configure PAM with LDAP:

  1. Verify that each MapR user ID has the auxiliary schema posixAccount.
  2. Verify that each group ID has the auxiliary schema posixGroup.
  3. Install the appropriate PAM packages:
    • On Ubuntu, sudo apt-get install libpam-ldapd
    • On Redhat/Centos, sudo yum install pam_ldap

Configuring PAM to Use Kerberos

To configure PAM with Kerberos:

  1. Install the krb5 packages and configure the Kerberos client as per the configuration for your environment.
  2. Install the appropriate PAM packages:
    • On Redhat/Centos, sudo yum install pam_krb5
    • On Ubuntu, sudo apt-get install -krb5

Creating a Custom mapr-admin Profile for PAM

If you wish to ensure that MapR uses a MapR-unique PAM configuration, you can:

  • Leave the /etc/pam.d/sudo file as is - MapR strongly recommends against manually editing the /etc/pam.d/sudo file.

  • Create your own PAM profile in /etc/pam.d, naming it mapr-admin 

  • Manually edit mapr.login.conf and other ecosystem component configuration files to use mapr-admin only.

Example /etc/pam.d/mapr-admin File

Below are some simple examples of what might work in the PAM profile you choose to edit in mapr-admin, or in another PAM profile, in close consultation with your Linux administrator.

The following sections provide information about configuring PAM to work with LDAP or Kerberos.

Icon

The file /etc/pam.d/sudo should be modified only with care and only when absolutely necessary.

Component-Specific PAM Configurations

Some ecosystem components have unique requirements that require setup of a component-specific PAM configuration. See the Ecosystem Guide section for the component.

  • No labels