|
I currently am working on a cluster, I have setup the configuration such that the users and groups are managed via LDAP. However when I try to give a LDAP user or group permissions on the cluster with /opt/mapr/bin/maprcli acl edit -type cluster -[user|group] <user>:fcit returns with an error stating that they do not exist. Doesn't Mapr use pam? Any suggestions? |
|
So, after a reinstall, and setup exactly like before. It began to work. I really wish I knew what the problem was, but as for now it is resolved. That can be very frustrating. Similarly frustrating is that we have been unable to replicate the problem internally. Do let us know if you figure out the config-fu that you accidentally applied to fix things. It would be good if others could benefit from your experience.
(04 Aug '11, 08:01)
TedDunning ♦♦
I wish I could give you more details, I actually rebuilt the node that had the CLDB on it (not as fun as one would think), and afterwards it worked. The only difference is that I had starting configuring for ldap after I had the first 3 nodes up. LDAP server was the same, the configuration for talking to ldap was the same. I am really just stumped but content for now. However if anyone has the same issue it would be interesting to here their experience
(04 Aug '11, 10:39)
Andrew Wells
|
|
MapR does use PAM. For more info look at PAM Configuration in our docs. Do you have the ldap configuration set up correctly in your /etc/pam.d/sudo file? I believe this is correctly configured. #/etc/pam.d/sudo ... auth include system-auth ... and in system-auth #/etc/pam.d/system-auth ... auth sufficient pam_ldap.so use_first_pass ...
(21 Jul '11, 05:51)
Andrew Wells
What is the operating system? There was a RedHat bug a bit back with some of the PAM stuff that might apply.
(21 Jul '11, 08:14)
TedDunning ♦♦
its centos 5.6, do you know more details about this bug?
(21 Jul '11, 08:31)
Andrew Wells
|
|
MapR does use PAM. It works great if things are set up correctly but PAM can be a bit ticklish to get right. Starting at the beginning, which kind of LDAP are you using? Have you confirmed that the user and/or group exists in PAM? Have you checked on the local machine to see if PAM sees the user? Is ldap.conf all there? Is the box configured to use PAM as an authorization? If so, does Sorry to ask basic questions, but the simple things are most often the problem with this side of things. Starting at the beginning, which kind of LDAP are you using?
(21 Jul '11, 05:58)
Andrew Wells
|
Just checking, but when you say
-[user|group], you really mean that you insert eitheruserorgroup, right?Likewise,
<user>will be replaced by the name of a user?Just asking on the rare chance that my understanding of what you did is incorrect. It is clear that you know your chops, but cross-checking is always good.