question Re: Sync ldap problem in Support Questions

Sync ldap problem

Shelton — Fri, 16 Sep 2022 11:30:06 GMT

I have a very Bizarre situation while running sync-ldap for Ambari The group does exist in the LDAP but I get an exception ! The contents of the groups.txt is hadoop_administrators

# ambari-server sync-ldap --users users.txt --groups groups.txt 21 Apr 2017 13:38:12,563 ERROR [pool-16-thread-6] LdapSyncEventResourceProvider:457 - Caught exception running LDAP sync.
org.apache.ambari.server.AmbariException: Couldn't sync LDAP group hadoop_administrators,it doesn't exist
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeLdapGroups(AmbariLdapDataPopulator.java:253)
at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:4775)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:487)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:445)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:257)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Here is my ambari.properties

authentication.ldap.alternateUserSearchEnabled=true
authentication.ldap.alternateUserSearchFilter=(&(userPrincipalName={0})(objectClass=person))
authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=distinguishedName
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=uk,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=mboro:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

Attached is a screenshot of my AD explorer

CN=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=k,DC=grp

I have only 4 users in the LDAP group hadoop_administrators,these users were synced correctly but the process couldn't pull the group.

I appreciate any help.

Re: Sync ldap problem

VR46 — Sat, 22 Apr 2017 04:58:10 GMT

Hello @Geoffrey Shelton Okot,

Thanks for attaching the screenshot and the configuration snippet. From the Ambari configuration, the LDAP base is set to "OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com". So all the users and groups will be looked inside this.

From the attached screenshot, it seems like the group 'hadoop_administrators' exist outside 'OU=Users...". Please change the baseDn in Ambari configuration to a common branch from where you can see the users and groups both. That should fix this issue and your group will be found.

In case, a top level baseDn is giving you too many results that you don't want, you can filter them by using the correct searchFilters.

Hope this helps !

Re: Sync ldap problem

Shelton — Tue, 25 Apr 2017 02:19:17 GMT

@Vipin Rathor

Sorry to get back this late I have just had acess again and I have change my baseDn to "DC=hq,DC=uk,DC=com" but that doesn't still pull the desired group.

This is making me mad

Re: Sync ldap problem

Shelton — Wed, 26 Apr 2017 19:26:18 GMT

Hi all,

My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !

authentication.ldap.baseDn=DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=organizationalPerson
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.uk.com:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=organizationalPerson
authentication.ldap.usernameAttribute=sAMAccountName

This pulled out the desired users and group

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:Syncing
specified users and groups....Completed
LDAP Sync.Summary: 
memberships: 
removed = 0 
created = 4 
users: 
updated = 0 
removed = 0 
created = 1 
groups: 
updated = 0 
removed = 0 
created = 1

Re: Sync ldap problem

sppandita85BLR — Fri, 03 Apr 2020 05:24:03 GMT

It looks like an OU issue. OU in AD and ranger should be the same for a group or a user.