In E-MapReduce (EMR) V3.22.0 and later, OpenLDAP is enabled by default. EMR allows you to integrate Knox with OpenLDAP and use OpenLDAP to manage users.

Prerequisites

An EMR cluster is created. For more information, see Create a cluster.

View node information

  1. Log on to the Alibaba Cloud EMR console by using your Alibaba Cloud account.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. Find the cluster whose node information you want to view and click Details in the Actions column.
  5. In the left-side navigation pane, choose Cluster Service > OpenLDAP.
  6. Click the Component Deployment tab.
    OpenLDAP is deployed on the master node. You can view the node information on the Component Deployment tab. For a high-availability cluster, OpenLDAP is deployed on two master nodes to ensure high availability.

Manage LDAP users

  • Method 1: Manage the LDAP users of a cluster in the EMR console.

    On the Users page, you can add LDAP users to or remove LDAP users from your cluster. For more information, see Manage user accounts.

  • Method 2: Manage LDAP users of a cluster by running an LDAP command.
    For example, you can perform the following steps to add an LDAP user whose UID is arch and password is 12345678.
    1. Log on to your cluster in SSH mode. For more information, see Connect to the master node of an EMR cluster in SSH mode.
    2. Create a file named arch.ldif and add the following content to the file:
      dn: uid=arch,ou=people,o=emr
      cn: arch
      sn: arch
      objectClass: inetOrgPerson
      userPassword: 12345678
      uid: arch
    3. Run the following command to add the LDAP user:
      ldapadd -H ldap://emr-header-1:10389 -f arch.ldif -D uid=${uid} -w ${rootDnPW}
      Note
      • ${uid}: Replace ${uid} with the value of the manager_dn parameter. You can obtain the value from the Configure tab of the OpenLDAP service page in the EMR console.
      • ${rootDnPW}: Replace ${rootDnPW} with the value of the manager_password parameter. You can obtain the value from the Configure tab of the OpenLDAP service page in the EMR console.
      • 10389: the listening port of the OpenLDAP service.
      The following figure shows how to obtain the values of the manager_dn and manager_password parameters on the Configure tab of the OpenLDAP service page in the EMR console. OpenLDAP
    4. Optional:Run the following command to view the information about the added OpenLDAP user:
      ldapsearch -w ${rootDnPW}  -D "${uid}" -H ldap://emr-header-1:10389 -b uid=arch,ou=people,o=emr
      You can run the following command to remove the added LDAP user:
      ldapdelete -x -D "${uid}" -w ${rootDnPW} -r uid=arch,ou=people,o=emr -H ldap://emr-header-1:10389