question Ambari LDAP user/group sync failed in Support Questions

Ambari LDAP user/group sync failed

alinazemian — Wed, 04 Jan 2017 11:39:59 GMT

I've tried to integrate Ambari with AD. I was able to integrate that without encrypting passwords, but once I tried to encrypt passwords for the sake of security, I stuck at user/group sync step. I've followed the following manual.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/_optional_encrypt_database_and_ldap_passwords.html

After passing the encryption step, I tried to synchronise user/groups with using "ambari-server sync-ldap --all". Unfortunately, that command failed and once I checked the ambari-server log, there was an error as "Configuration:1850 - Cannot read password for alias = ${alias=ambari.ldap.manager.password}". Is this some kind of bug or have I missed any step?

FYI I am using HDP 2.5.0 and Ambari 2.4.1.

Re: Ambari LDAP user/group sync failed

sshimpi — Wed, 04 Jan 2017 14:10:14 GMT

@Ali Nazemian

I see this is a BUG Please check the link - https://issues.apache.org/jira/browse/AMBARI-2644

Below is the HWX bug url - https://hortonworks.jira.com/browse/BUG-7301

There is Patch provided to fix this issue.

Re: Ambari LDAP user/group sync failed

alinazemian — Wed, 04 Jan 2017 14:35:06 GMT

Has it been fixed already in 2.4.1 version?

Re: Ambari LDAP user/group sync failed

jsensharma — Wed, 04 Jan 2017 14:42:28 GMT

@Ali Nazemian

You are using 2.4.1 where this can happen when the encrypted password is null/empty.

      if (result != null) {
        password = new String(result);
      } else {
        LOG.error("Cannot read password for alias = " + aliasStr);
      }

https://github.com/apache/ambari/blob/release-2.4.1/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java#L1847-L1850

- So i am suspecting that your Password encryption was not done successfully. So try the encryption again. Or try removing the encryption and then freshly enable the password encryption:

(OLD Doc but should work) https://ambari.apache.org/current/installing-hadoop-using-ambari/content/ch02s06s01s02.html

- And do not forget to restart ambari server after enabling the encryption.

Re: Ambari LDAP user/group sync failed

alinazemian — Wed, 04 Jan 2017 20:05:47 GMT

Can it be related to having special characters in the provided password?

Re: Ambari LDAP user/group sync failed

rlevas — Wed, 04 Jan 2017 23:01:20 GMT

A special character should not really affect this, however it may depend on how special that character is. If it is just a normal ASCII letter, number, or punctuation, it will be fine. However if the character is not in the western latin character set, it may not have a valid translation. But I do not think that you would see the error message you posted.

That said, it is possible that your key did not make it into the Ambari credential store. Yo can check that by listing the keys in the credential store:

$JAVA_HOME/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS

In my case $JAVA_HOME is /usr/jdk64/jdk1.8.0_77, so you might want to call the command using something like

/usr/jdk64/jdk1.8.0_77/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS

After running this command, you will be prompted for a password. That password is the master password you set when enabling this feature.

Example:

# /usr/jdk64/jdk1.8.0_77/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS
Enter keystore password:

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 2 entries

ambari.ldap.manager.password, Jan 4, 2017, SecretKeyEntry,
ambari.db.password, Jan 4, 2017, SecretKeyEntry,

Here we see that the ambari.ldap.manager.password alias exists.

In my ambari.properties, we see that the ambari.ldap.manager.password alias is assigned to the LDAP manager password property:

authentication.ldap.managerPassword=${alias=ambari.ldap.manager.password}

If your credential store does not have the ambari.ldap.manager.password entry, then we should be able to add it by rerunning the ambari-server setup-ldap command. Or you can try to manually add the password to the credential store using the keytool command like:

$JAVA_HOME/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS

For example,

/usr/jdk64/jdk1.8.0_77/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS
Enter keystore password:
Enter the password to be stored:
Re-enter password:
Enter key password for <ambari.ldap.manager.password>
	(RETURN if same as keystore password):

I entered the master password at the first prompt and the LDAP manager password for the next 2 prompts. I simply hit the return key for the last prompt.

Maybe this will help.

Re: Ambari LDAP user/group sync failed

alinazemian — Thu, 05 Jan 2017 13:27:52 GMT

I have managed to solve the issue. It was related to have an escaping characters in the provided password. I've used a simpler password and everything is working now.

Re: Ambari LDAP user/group sync failed

alinazemian — Thu, 05 Jan 2017 13:29:04 GMT

Thank you very much, but it was because of having escaping characters inside the password. I saw kind of similar issues for using complex passwords for other HDF and HDP applications as well.