question Re: Ambari LDAP Sync Issue in Support Questions

Ambari LDAP Sync Issue

rgarcia — Wed, 14 Oct 2015 08:11:37 GMT

Have a working AD and ldapsearch works from Linux node to AD machine. Trying to setup Ambari to integrate with AD using LDAP with SSl set to 'true' and getting an SSL error. See below.

[root@rgarcia-hdp23201 ~]# ambari-server setup-ldap

Using python  /usr/bin/python2.6

Setting up LDAP properties...

Primary URL* {host:port} (host:389): host:636

Secondary URL {host:port} (host:389): host:636

Use SSL* [true/false] (true): true

User object class* (user): 

User name attribute* (cn): 

Group object class* (group): 

Group name attribute* (cn): 

Group member attribute* (memberUid): 

Distinguished name attribute* (dn): 

Base DN* (OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM): OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM

Referral method [follow/ignore] (follow): 

Bind anonymously* [true/false] (false): false

Manager DN* (CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM): CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

Enter Manager Password* : 

Re-enter password: 

Do you want to provide custom TrustStore for Ambari [y/n] (y)?y

TrustStore type [jks/jceks/pkcs12] (jks):jks

Path to TrustStore file (/etc/ambari-server/keys/ldaps-keystore.jks):/etc/ambari-server/keys/ldaps-keystore.jks

Password for TrustStore:

Re-enter password: 

====================

Review Settings

====================

authentication.ldap.managerDn: CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

authentication.ldap.managerPassword: *****

ssl.trustStore.type: jks

ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks

ssl.trustStore.password: *****

Save settings [y/n] (y)? y

Saving...done

Ambari Server 'setup-ldap' completed successfully.

You have new mail in /var/spool/mail/root

[root@rgarcia-hdp23201 ~]# ambari-server restart

Using python  /usr/bin/python2.6

Restarting ambari-server

Using python  /usr/bin/python2.6

Stopping ambari-server

Ambari Server stopped

Using python  /usr/bin/python2.6

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources...

Server PID at: /var/run/ambari-server/ambari-server.pid

Server out at: /var/log/ambari-server/ambari-server.out

Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start....................

Ambari Server 'start' completed successfully.

[root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all

Using python  /usr/bin/python2.6

Syncing with LDAP...

Enter Ambari Admin login: admin

Enter Ambari Admin password: 

Syncing all...ERROR: Exiting with exit code 1. 

REASON: Caught exception running LDAP sync. host:636; nested exception is javax.naming.CommunicationException:
host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
[root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all
Using python /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: adadmin
Enter Ambari Admin password:
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403:
host:636; nested exception is javax.naming.CommunicationException:
host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]

Re: Ambari LDAP Sync Issue

nsabharwal — Wed, 14 Oct 2015 08:18:03 GMT

@rgarcia@hortonworks.com

This may help. Status code 403 responses are the result of the web server being configured to deny access, for some reason, to the requested resource by the client.

[root@testhwx01 ~]# ambari-server stop
Using python  /usr/bin/python2.6
Stopping ambari-server
Ambari Server stopped
[root@testhwx01 ~]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} (xxxx:389):
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (posixAccount): user
User name attribute* (sAMAccountName): sAMAccountName
Group object class* (group):
Group name attribute* (cn):
Group member attribute* (member):
Distinguished name attribute* (dn):
Base DN* (DC=nsabharwal,DC=com):
Referral method [follow/ignore] (follow):
Bind anonymously* [true/false] (false):
Manager DN* (CN=LDAP Access,OU=Service Accounts,DC=nsabharwal,DC=com):
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: CN=LDAP Access,OU=Service Accounts,DC=nsabharwal,DC=com
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)?
Saving...done
Ambari Server 'setup-ldap' completed successfully.
[root@testhwx01 ~]# ambari-server start
Using python  /usr/bin/python2.6
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start....................
Ambari Server 'start' completed successfully.
[root@testhwx01 ~]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login:
Property cannot be blank.
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all...
Completed LDAP Sync.
Summary:
  memberships:
  removed = 0
  created = 0
  users:
  updated = 1
  removed = 0
  created = 10
  groups:
  updated = 0
  removed = 0
  created = 0
Ambari Server 'sync-ldap' completed successfully.
[root@testhwx01 ~]#
Please check the port host:636

Re: Ambari LDAP Sync Issue

rgarcia — Wed, 14 Oct 2015 09:42:44 GMT

I was able to sync the LDAP users to Ambari but all of the ldap users are not able to login to Ambari UI. admin/admin local account no longer can login as well. Getting 403 Forbidden errors.

Re: Ambari LDAP Sync Issue

nsabharwal — Wed, 14 Oct 2015 16:52:56 GMT

Do you have admin user in AD?

Re: Ambari LDAP Sync Issue

gbraccialli3 — Wed, 14 Oct 2015 18:13:18 GMT

I'm having similar issues, but in my case I'm trying to sync with FreeIPA:

[root@hdp23 ambari-server]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} (ipa.hadoop.braccialli:389):
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (posixAccount):
User name attribute* (uid):
Group object class* (posixGroup):
Group name attribute* (cn):
Group member attribute* (memberUid):
Distinguished name attribute* (dn):
Base DN* (cn=accounts,dc=hadoop,dc=braccialli):
Referral method [follow/ignore] : follow
Bind anonymously* [true/false] (false):
Manager DN* (uid=admin,cn=users,cn=accounts,dc=hadoop,dc=braccialli):
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: uid=admin,cn=users,cn=accounts,dc=hadoop,dc=braccialli
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.
[root@hdp23 ambari-server]# ambari-server restart
Using python  /usr/bin/python2.6
Restarting ambari-server
Using python  /usr/bin/python2.6
Stopping ambari-server
Ambari Server stopped
Using python  /usr/bin/python2.6
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start....................
Ambari Server 'start' completed successfully.
[root@hdp23 ambari-server]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: You do not have permissions to access this resource.


from /var/log/ambari-server/ambari-server.log I get:
14 Oct 2015 07:12:31,544  INFO [qtp-client-21] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: cn=accounts,dc=hadoop,dc=braccialli
14 Oct 2015 07:12:31,584 ERROR [qtp-client-21] AmbariLdapAuthoritiesPopulator:70 - Can't get authorities for user admin, he is not present in local DB

Re: Ambari LDAP Sync Issue

bdurai — Thu, 15 Oct 2015 00:29:42 GMT

@rgarcia@hortonworks.com

If the admin user is synchronized from AD, then you will have to update the Ambari DB and update it. You should probably create a backup admin user with different name with Admin privileges in Ambari.

mysql> use ambaricustom

mysql> update users set ldap_user=0 where user_name='admin';

Re: Ambari LDAP Sync Issue

abajwa — Thu, 15 Oct 2015 10:43:42 GMT

@Guilherme Braccialli here is the config we used for IPA. When providing the Ambari admin user/pass, this needs to exist in your IPA. So in my example I passes in admin/hortonworks. If you are passing in admin/admin it probably won't work:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Ambari.md#authentication-via-ldap

Note that group memberships won't work since IPA uses openLDAP which does not expose the DN. @Paul Codding, @David Streever, @Sean Roberts and I found this the hard way. See BUG-45536 for more info (and up vote!)

Re: Ambari LDAP Sync Issue

rgarcia — Thu, 15 Oct 2015 22:22:32 GMT

Yes, admin user is in AD.

Re: Ambari LDAP Sync Issue

rgarcia — Thu, 15 Oct 2015 22:31:11 GMT

I tried logging in to mysql using the admin/admin account but won't let me in. Also tried root@hostname, same issue.

Re: Ambari LDAP Sync Issue

rgarcia — Fri, 16 Oct 2015 00:17:10 GMT

Ambari is using PostgreSQL and I've updated the active flag of local "admin" user in the users table and now am able to login as admin/admin. Now the AD users appear in the Ambari Users list. However, if I try to login as one of the AD users, its giving this error Unable to sign in. Invalid username/password combination.

Re: Ambari LDAP Sync Issue

rgarcia — Fri, 16 Oct 2015 01:09:31 GMT

I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari.

ad-users.png

Re: Ambari LDAP Sync Issue

gbraccialli3 — Fri, 16 Oct 2015 10:13:02 GMT

Thanks @abajwa@hortonworks.com, yes I'm following your guide. As you pointed the problem was wrong password, I was using LDAP password instead of ambari one.

This group membership issue affects only ambari or also affects Ranger usersync?

Re: Ambari LDAP Sync Issue

narasimha_varma — Tue, 20 Dec 2016 18:28:12 GMT

I follow your steps as given above but i got connection refused issue that is mension below

[root@sandbox ~]# ambari-server setup-ldap

Using python /usr/bin/python2

Setting up LDAP properties...

Primary URL* {host:port} (localhost:636): localhost:389

Secondary URL {host:port} :

Use SSL* [true/false] (false):

User object class* (person):

User name attribute* (cn):

Group object class* (posixGroup): group

Group name attribute* (memberof): cn

Group member attribute* (memberUid): member

Distinguished name attribute* (dn): dn

Base DN* (ou=people,dc=hadoop,dc=apache,dc=org):

Referral method [follow/ignore] (ignore): follow

Bind anonymously* [true/false] (false):

Manager DN* (uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org):

Enter Manager Password* :

Re-enter password:

====================

Review Settings

====================

authentication.ldap.managerDn: uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org authentication.ldap.managerPassword: *****

Save settings [y/n] (y)? y Saving...done

Ambari Server 'setup-ldap' completed successfully.

[root@sandbox ~]# ambari-server start

Using python /usr/bin/python2

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources...

Server PID at: /var/run/ambari-server/ambari-server.pid Server out at: /var/log/ambari-server/ambari-server.out Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start....................

Ambari Server 'start' completed successfully.

[root@sandbox ~]# ambari-server sync-ldap --

all Using python /usr/bin/python2

Syncing with LDAP...

Enter Ambari Admin login:

admin Enter Ambari Admin password:

Syncing all..ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. localhost:389; nested exception is javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

[root@sandbox ~]#

Re: Ambari LDAP Sync Issue

sidoine_kakeuh- — Fri, 08 Sep 2017 22:14:49 GMT

hello,

Im facing the same issue error 403 as you earlier and i'm not able to logging with my ambari admin logging after Ambari and LDAP sync failed.

please, i'm looking for integrating LDAP server with hortonworks sandbox Ambari (HDP 2.5) and ambari-server --version 2.4.0.0-1225 i have tried twice to run "ambari-server setup-ldap" and "ambari-server sync-ldap –all" twice, but i'm keeping having error 403 at the beginning of LDAP Sync. when this error come up, i'm not able anymore to logging into Ambari UI with my Ambari credentials (admin/password). even after reseting my password with "ambari-admin-password-reset". but what i've observed so far is that i could in logging with "maria_dev/maria_dev" credential and also with some new user i have added during LDAP setup server. i was wondering if this could be a password migration tools that is doing the wrong password migration? i have checked the user "admin" in my LDAP database, and i can observe that it's not encrypted in the same way as user like maria_dev or raj_ops!! (see below): can this cause trouble during my ambari-server and LDAP synchronization? or it is due to my ambari-server LDAP setup settings?

==> MARIA_DEV INFORMATIONS
[root@sandbox ~]# ldapsearch -x cn=maria_dev -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=maria_dev
# requesting: ALL
#

# maria_dev, People, hortonworks.com
dn: uid=maria_dev,ou=People,dc=hortonworks,dc=com
uid: maria_dev
cn: maria_dev
sn: maria_dev
mail: maria_dev@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JC94YTFDb0dTMnAvOC4yRCQ3MDkuL1pYRHpnV01vVGIzeWdnNnd
HNUNuM2ZXck82QTBzUGhOZzVFZEpodjF2LmRTQnBEelJUMHpPaFBUdmxZSzhGU3NVZEppS1M2QUFo
OXpqLld1MQ==
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1023
gidNumber: 1023
homeDirectory: /home/maria_dev

# maria_dev, Group, hortonworks.com
dn: cn=maria_dev,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: maria_dev
userPassword:: e2NyeXB0fXg=
gidNumber: 1023

=======> ADMIN INFORMATION:
[root@sandbox ~]# ldapsearch -x cn=admin -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=admin
# requesting: ALL
#

# admin, People, hortonworks.com
dn: uid=admin,ou=People,dc=hortonworks,dc=com
uid: admin
cn: admin
sn: admin
mail: admin@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/admin

# admin, Group, hortonworks.com
dn: cn=admin,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
userPassword:: e2NyeXB0fXg=
gidNumber: 1005

# search result
search: 2
result: 0 Success

thanks a lot for your help.

regards.

sidoine.

Re: Ambari LDAP Sync Issue

sidoine_kakeuh- — Fri, 08 Sep 2017 22:14:51 GMT

hello Neerraj,

i'm looking for integrating LDAP server with hortonworks sandbox Ambari (HDP 2.5) and ambari-server --version 2.4.0.0-1225 i have tried twice to run "ambari-server setup-ldap" and "ambari-server sync-ldap –all" twice, but i'm keeping having error 403 at the beginning of LDAP Sync. when this error come up, i'm not able anymore to logging into Ambari UI with my Ambari credentials (admin/password). even after reseting my password with "ambari-admin-password-reset". but what i've observed so far is that i could in logging with "maria_dev/maria_dev" credential and also with some new user i have added during LDAP setup server. i was wondering if this could be a password migration tools that is doing the wrong password migration? i have checked the user "admin" in my LDAP database, and i can observe that it's not encrypted in the same way as user like maria_dev or raj_ops!! (see below): can this cause trouble during my ambari-server and LDAP synchronization? or it is due to my ambari-server LDAP setup settings?

==> MARIA_DEV INFORMATIONS
[root@sandbox ~]# ldapsearch -x cn=maria_dev -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=maria_dev
# requesting: ALL
#

# maria_dev, Group, hortonworks.com
dn: cn=maria_dev,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: maria_dev
userPassword:: e2NyeXB0fXg=
gidNumber: 1023

=======> ADMIN INFORMATION:
[root@sandbox ~]# ldapsearch -x cn=admin -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=admin
# requesting: ALL
#

# admin, Group, hortonworks.com
dn: cn=admin,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
userPassword:: e2NyeXB0fXg=
gidNumber: 1005

# search result
search: 2
result: 0 Success

thanks a lot for your help.

regards.

sidoine.