question Re: Ambari LDAP API not working > 2.4.2 in Support Questions

Ambari LDAP API not working > 2.4.2

smasoud — Wed, 22 Mar 2017 21:48:18 GMT

My Ambari server (RedHat 7.3) is listening on ::1 (IPv6), and when I run 'ambari-server sync-ldap', it tries to make a request to 127.0.0.1, which results in a 'Connection refused':

[ec2-user@ip-192-168-12-67 ~]$ sudo ambari-server sync-ldap --all -v 

Using python  /usr/bin/python
Syncing with LDAP... 

INFO: about to run command: ps -p 11579
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties .......Syncing all.
Calling API https://127.0.0.1:8443/api/v1/ldap_sync_events : [{'Event': {'specs': [{'principal_type': 'users', 'sync_type': 'all'}, {'principal_type': 'groups', 'sync_type': 'all'}]}}]
ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: <urlopen error [Errno 111] Connection refused>

When I attempt to manually curl the service (https://cwiki.apache.org/confluence/display/AMBARI/API+to+sync+LDAP+users) via localhost instead of 127.0.0.1, I get a 500 error:

[ec2-user@ip-192-168-12-67 ~]$ curl -i -u<redacted> -H 'X-Requested-By: ambari' -X POST -d '"[{"Event":{"specs":[{"principal_type":"users","sync_type":"all"},{"principal_type":"groups","sync_type":"all"}]}}]' https://localhost:8443/api/v1/ldap-sync-events -k HTTP/1.1 500 Server Error
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 48
Server: Jetty(8.1.19.v20160209)
{
  "status": 500,
  "message": "Server Error"

Tailing the log:

[ec2-user@ip-192-168-12-67 ~]$tail -30 /var/log/ambari-server/ambari-server.log

22 Mar 2017 10:30:55,779  WARN [ambari-client-thread-24] ServletHandler:561 - Error Processing URI: /api/v1/ldap-sync-events - (org.springframework.ldap.BadLdapGrammarException) Failed to parse DN; nested exception is org.springframework.ldap.core.ParseException: Encountered "<EOF>" at line 1, column 2.
Was expecting:
    <SPACED_EQUALS> ...

Is there any way to either have the 'sync-ldap' command send the request to localhost instead of 127.0.0.1, or is there something wrong with my manual curl request?

Re: Ambari LDAP API not working > 2.4.2

jsensharma — Wed, 22 Mar 2017 23:05:18 GMT

@Said Masoud

Please check if the LDAP service is running or not? Because you are getting "<urlopen error [Errno 111] Connection refused>" If the LDAP is not running then you can start it. For OpenLDap something like following:

# service slapd start

- Please check if the "authentication.ldap.primaryUrl" host& port mentioned in the following properly of the ambari.properties are accessible from ambari host or not?

Example:

# cat /etc/ambari-server/conf/ambari.properties | grep 'authentication.ldap.primaryUrl'
authentication.ldap.primaryUrl=erie1.example.com:389

# telnet  erie1.example.com  389

- Also in your curl command you have an extra Quotation mark here [-d '"[{"Event"] where as it should be [-d '[{"Event"] example as following:

curl -k -i -u admin:admin -H 'X-Requested-By: ambari' -X POST -d '[{"Event":{"specs":[{"principal_type":"users","sync_type":"all"},{"principal_type":"groups","sync_type":"all"}]}}]' https://127.0.0.1:8443/api/v1/ldap_sync_events

- In your ambari-server.log there is some error related to DN as following so can you please share the output of the following command (if possible can you please share ambari-server.log and ambari.properties)

# cat /etc/ambari-server/conf/ambari.properties | grep ldap

Example output:
----------------
#  cat /etc/ambari-server/conf/ambari.properties | grep ldap
ambari.ldap.isConfigured=true
authentication.ldap.baseDn=dc=example,dc=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=memberUid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixGroup
authentication.ldap.managerDn=cn=Manager,dc=example,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=erie1.example.com:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=posixAccount
authentication.ldap.usernameAttribute=uid
client.security=ldap

Error

Failed to parse DN; nested exception is org.springframework.ldap.core.ParseException: Encountered "<EOF>" at line 1, column 2.

Re: Ambari LDAP API not working > 2.4.2

smasoud — Wed, 22 Mar 2017 23:43:25 GMT

Hello @Jay SenSharma,

Thanks for replying. I am using ActiveDirectory on Windows Server 2012 R2, and I confirmed it's running by using telnet from my RedHat box. I used the corrected curl command you posted, and the result is the same.

[ec2-user@ip-192-168-12-67 ~]$ curl -k -i -u <redacted> -H 'X-Requested-By: ambari' -X POST -d '[{"Event":{"specs":[{"principal_type":"users","sync_type":"all"},{"principal_type":"groups","sync_type":"all"}]}}]' https://localhost:8443/api/v1/ldap_sync_events
HTTP/1.1 500 Server Error
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 48
Server: Jetty(8.1.19.v20160209)
{
  "status": 500,
  "message": "Server Error"
}

ambari.properties:

[ec2-user@ip-192-168-12-67 ~]$ cat /etc/ambari-server/conf/ambari.properties | grep ldap
ambari.ldap.isConfigured=true
authentication.ldap.baseDn=dc
authentication.ldap.bindAnonymously=true
authentication.ldap.dnAttribute=cn
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=name
authentication.ldap.groupObjectClass=group
authentication.ldap.primaryUrl=<redacted>:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=<redacted>:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=user
authentication.ldap.usernameAttribute=name
client.security=ldap

ambari-server.log:

22 Mar 2017 12:34:38,591  WARN [ambari-client-thread-24] ServletHandler:561 - Error Processing URI: /api/v1/ldap_sync_events - (org.springframework.ldap.BadLdapGrammarException) Failed to parse DN; nested exception is org.springframework.ldap.core.ParseException: Encountered "<EOF>" at line 1, column 2.
Was expecting:
    <SPACED_EQUALS> ...

Re: Ambari LDAP API not working > 2.4.2

jsensharma — Thu, 23 Mar 2017 00:18:53 GMT

@Said Masoud

Your BaseDn is too open. Are you sure that is what you want.

authentication.ldap.baseDn=dc      
   ---->   can it be authentication.ldap.baseDn=dc=example,dc=com

The error "org.springframework.ldap.BadLdapGrammarException" indicates that incorrect value is specified as LDAP attributes. See: http://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/BadLdapGrammarException.html

Re: Ambari LDAP API not working > 2.4.2

smasoud — Thu, 23 Mar 2017 00:40:38 GMT

@Jay SenSharma

I changed the baseDn peoperty to match the example you gave me, still getting the same error.

Has Ambari been confirmed to work with Windows Server 2012? I am concerned that it cannot interface with a newer version of Windows.

Re: Ambari LDAP API not working > 2.4.2

VR46 — Fri, 24 Mar 2017 00:57:28 GMT

@Said Masoud

Ambari does work with Windows Server 2012 and we have done that multiple times in past.

If you are using Windows Server 2012 with Ambari for user sync, then you are not using the correct AD user attribute name and also trying to bind anonymously. Please use a correct bind DN and password to successfully bind to AD server.

Your properties should look like these (Similar to what @Jay SenSharma has given but with correct AD user attribute name):

authentication.ldap.baseDn=ou=Users,ou=corporate,dc=example,dc=com (this should NOT be a top level DC of your AD)
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=distinguishedName
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=name
authentication.ldap.groupObjectClass=group
authentication.ldap.primaryUrl=<redacted>:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=<redacted>:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=user
authentication.ldap.usernameAttribute=sAMAccountName
authentication.ldap.managerDn=cn=bind-user,ou=Users,ou=corporate,dc=example,dc=com
authentication.ldap.managerPassword=...

A better way to set this up is via 'setup-ldap' command (which also takes care of hiding the bind DN's password) like this:

# ambari-server setup-ldap \
  --ldap-url=<ad-host-fqdn>:389 \
  --ldap-secondary-url= \
  --ldap-ssl=false \
  --ldap-base-dn=ou=Users,ou=corporate,dc=example,dc=com \
  --ldap-manager-dn=cn=bind-user,ou=Users,ou=corporate,dc=example,dc=com \
  --ldap-bind-anonym=false \
  --ldap-dn=distinguishedName \
  --ldap-member-attr=member \
  --ldap-group-attr=cn \
  --ldap-group-class=group \
  --ldap-user-class=user \
  --ldap-user-attr=sAMAccountName \
  --ldap-save-settings \
  --ldap-bind-anonym=false \
  --ldap-referral=ignore

Hope this helps !

Re: Ambari LDAP API not working > 2.4.2

smasoud — Fri, 24 Mar 2017 03:12:25 GMT

@Vipin Rathor

Thank you! Binding with a manager as a user seems to have resolved the previous issue and allowed me to establish a proper connection to Windows, but now I cannot seem to form the proper curl command to sync the users. I believe the way I am feeding the username/password combination is incorrect. This is the command I'm using and the result:

[ec2-user@ip-192-168-12-67 ~]$ curl -k -i -u '<user>:<password>' -H 'X-Requested-By: ambari' -X POST -d '[{"Event":{"specs":[{"principal_type":"users","sync_type":"all"},{"principal_type":"groups","sync_type":"all"}]}}]' <a href="https://localhost:8443/api/v1/ldap_sync_events">https://localhost:8443/api/v1/ldap_sync_events</a>
HTTP/1.1 403 Unable to sign in. Invalid username/password combination.
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 93
Server: Jetty(8.1.19.v20160209)
{
  "status": 403,
  "message": "Unable to sign in. Invalid username/password combination."
}

ambari-server.log:

23 Mar 2017 16:08:40,244  INFO [ambari-client-thread-25] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: cn=Users,dc=<redacted>,dc=local
23 Mar 2017 16:09:20,619 ERROR [ambari-client-thread-28] AmbariLdapAuthoritiesPopulator:71 - Can't get authorities for user <user>, he is not present in local DB

UPDATE: it appears that the original admin user i created in Ambari UI is no longer in the users table (PostgreSQL database). How can I manually add the user back into the database?

Re: Ambari LDAP API not working > 2.4.2

VR46 — Fri, 24 Mar 2017 06:45:47 GMT

Hello @Said Masoud,

I don't understand why you are trying to sync using REST API & curl. I'd rather use 'ambari-server sync-ldap -all -v' to sync all the users and groups. I don't know how to make this curl call work, can you please try this command & let us know.

Hope this helps !

Re: Ambari LDAP API not working > 2.4.2

smasoud — Fri, 24 Mar 2017 21:29:04 GMT

@Vipin Rathor

I cannot use the ambari-server command because that command makes a request to 127.0.0.1 (IPv4), which fails because the ambari-server is binding to ::1 (IPv6):

[ec2-user@ip-192-168-12-67 ~]$ sudo ambari-server sync-ldap --all -v
Using python  /usr/bin/python
Syncing with LDAP...
INFO: about to run command: ps -p 22683
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
Enter Ambari Admin login: <user>
Enter Ambari Admin password:
Syncing all.
Calling API https://127.0.0.1:8443/api/v1/ldap_sync_events : [{'Event': {'specs': [{'principal_type': 'users', 'sync_type': 'all'}, {'principal_type': 'groups', 'sync_type': 'all'}]}}]
ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: <urlopen error [Errno 111] Connection refused>
[ec2-user@ip-192-168-12-67 ~]$ sudo curl -k -i -u '<redacted>' -H 'X-Requested-By: ambari' -X POST -d '[{"Event":{"specs":[{"principal_type":"users","sync_type":"all"},{"principal_type":"groups","sync_type":"all"}]}}]' https://localhost:8443/api/v1/ldap_sync_events
HTTP/1.1 403 Unable to sign in. Invalid username/password combination.
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 93
Server: Jetty(8.1.19.v20160209)
{
  "status": 403,
  "message": "Unable to sign in. Invalid username/password combination."
}

ambari-server.log:

24 Mar 2017 10:25:40,841 ERROR [ambari-client-thread-28] AmbariLdapAuthoritiesPopulator:71 - Can't get authorities for user ambari, he is not present in local DB

I believe the current issue I am experiencing is the Ambari credentials are not in the 'users' table in PostgreSQL. Is there a way I can add those credentials to the table manually?

Re: Ambari LDAP API not working > 2.4.2

smasoud — Tue, 28 Mar 2017 19:58:19 GMT

UPDATE: I ended up rebuilding a new Ambari server and database from scratch, and running the 'sync-ldap' command using the default credentials (admin:admin). I think changing the default credentials before syncing the LDAP users causes the sync to fail, will try to raise an issue about this in Github. Thanks @Jay SenSharma and @Vipin Rathor for your help! I used your suggestions when I rebuilt Ambari and they were very helpful!