How to integrate Ambari with ldap

  • 2

How to integrate Ambari with ldap

Tags :

Category : Ambari

By default, Ambari uses an internal database as the user store for authentication and authorization. If you wish to add LDAP external authentication in addition for Ambari Web, you need to make some edits to the Ambari properties file.

  1. Collect following information :
  • ldap.primaryUrl=<ldap_server_name>:389
  • ldap.useSSL=false
  • ldap.usernameAttribute=sAMAccountName
  • ldap.baseDn=cn=Users,dc=<sreach_dir>,dc=com
  • ldap.bindAnonymously=false
  • ldap.managerDn=cn=ambari,cn=users,dc=<sreach_dir>,dc=com
  • ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
  • ldap.userObjectClass=user
  • ldap.groupObjectClass=group
  • ldap.groupMembershipAttr=memberOf
  • ldap.groupNamingAttr=cn
  • ldap.referral=ignore
  • ldap.isConfigured=true
  • security=ldap
  • ldap.dnAttribute=dn
  1. Create ldap-password.dat file with ldap password under =/etc/ambari-server/conf :

[root@m1 ~]# vi /etc/ambari-server/conf/ldap-password.dat

  1. Run Ambari ldap integration command on Ambari server and provide all required information, which you have collected above:

[root@m1 ~]# ambari-server setup-ldap

  1. Once it is done then restart your Ambari server:

[root@m1 ~]# ambari-server restart

  1. There is a problem in Ambari which does not sync users automatically so for that we have create a file users.txt(put user’s windows id in this file) under home dir and then usersync command manually:

[root@m1 ~]# vi users.txt

[root@m1 ~]# sudo /usr/sbin/ambari-server sync-ldap –users /root/users.txt

Using python /usr/bin/python2

Syncing with LDAP…

Enter Ambari Admin login: admin

Enter Ambari Admin password:

Syncing specified users and groups….

 

Completed LDAP Sync.

Summary:

memberships:

removed = 0

created = 0

users:

updated = 0

removed = 0

created = 1

groups:

updated = 0

removed = 0

created = 0

Ambari Server ‘sync-ldap’ completed successfully.

When you have made the necessary edits to the properties file. Initially the users you have enabled will all have User privileges. Users can read metrics, view service status and configuration, and browse job information.


2 Comments

kakeuh fosso sidoine

September 8, 2017 at 9:24 am

hello,

thanks for your tutorial.
i’m looking for integrating LDAP server with hortonworks sandbox Ambari (HDP 2.5) and ambari-server –version 2.4.0.0-1225
i have tried twice to run “ambari-server setup-ldap” and “ambari-server sync-ldap –all” twice, but i’m keeping having error 403 at the beginning of LDAP Sync.
when this error come up, i’m not able anymore to logging into Ambari UI with my Ambari credentials (admin/password). even after reseting my password with “ambari-admin-password-reset”.
but what i’ve observed so far is that i could in logging with “maria_dev/maria_dev” credential and also with some new user i have added during LDAP setup server.
i was wondering if this could be a password migration tools that is doing the wrong password migration?
i have checked the user “admin” in my LDAP database, and i can observe that it’s not encrypted in the same way as user like maria_dev or raj_ops!! (see below):
can this cause trouble during my ambari-server and LDAP synchronization? or it is due to my ambari-server LDAP setup settings?

==> MARIA_DEV INFORMATIONS
[root@sandbox ~]# ldapsearch -x cn=maria_dev -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=maria_dev
# requesting: ALL
#

# maria_dev, People, hortonworks.com
dn: uid=maria_dev,ou=People,dc=hortonworks,dc=com
uid: maria_dev
cn: maria_dev
sn: maria_dev
mail: maria_dev@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JC94YTFDb0dTMnAvOC4yRCQ3MDkuL1pYRHpnV01vVGIzeWdnNnd
HNUNuM2ZXck82QTBzUGhOZzVFZEpodjF2LmRTQnBEelJUMHpPaFBUdmxZSzhGU3NVZEppS1M2QUFo
OXpqLld1MQ==
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1023
gidNumber: 1023
homeDirectory: /home/maria_dev

# maria_dev, Group, hortonworks.com
dn: cn=maria_dev,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: maria_dev
userPassword:: e2NyeXB0fXg=
gidNumber: 1023

=======> ADMIN INFORMATION:
[root@sandbox ~]# ldapsearch -x cn=admin -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=admin
# requesting: ALL
#

# admin, People, hortonworks.com
dn: uid=admin,ou=People,dc=hortonworks,dc=com
uid: admin
cn: admin
sn: admin
mail: admin@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/admin

# admin, Group, hortonworks.com
dn: cn=admin,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
userPassword:: e2NyeXB0fXg=
gidNumber: 1005

# search result
search: 2
result: 0 Success

thanks a lot for your help.

regards.

sidoine.

    admin

    September 8, 2017 at 11:32 am

    Hello,

    Thanks for feedback.
    After seeing your problem it seems there is a deny from LDAP or AD server when you are configuring. But I can confirm more after seeing full error.So can you attached full error log.

    And you are not able to login with local admin account also because there would be a admin user in LDAP server as well. So if you want local admin account to work then you have to reset admin user.

    Please run following query and update if it is set to 1.
    use ambari;
    select * from users where user_name=’admin’;
    update users set ldap_user=0 where user_name=’admin’;

    Please feel free to reach-out to us in case of any further assistance.

Leave a Reply