question Re: IPA ldap Ambari Sync in Support Questions

IPA ldap Ambari Sync

arunak — Thu, 25 Aug 2016 01:50:05 GMT

Hi All, I am trying to sync my Directory users from IPA server to Ambari. I have been using these instructions

However, I am not certain what need to be the value of Distinguished name attribute.

Provided I have the following structure

uid=u1,ou=ou11,ou=o1,dc=example,dc=com 

uid=u2,ou=ou12,ou=o1,dc=example,dc=com 

uid=u3,ou=ou21,ou=02,dc=example,dc=com 

uid=u4,ou=ou22,ou=02,dc=example,dc=com

Re: IPA ldap Ambari Sync

orlandoteixeira — Thu, 25 Aug 2016 01:55:35 GMT

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

Re: IPA ldap Ambari Sync

WhiteHa — Thu, 25 Aug 2016 01:58:53 GMT

Try Distinguished name attribute* (dn): dn

Re: IPA ldap Ambari Sync

arunak — Thu, 25 Aug 2016 02:04:28 GMT

Thanks @Orlando Teixeira. Could you share me a sample ldif file that you used for ldapadd. I was able to sync the user bases using the default specified above. I did not see a dn attribute to any of my user/group using jxplore and hence wanted to know how relevant these default values are. After the sync, the admin user in IPA which is defaulted to admin messed up my Ambari admin user, which is also by default admin.

Re: IPA ldap Ambari Sync

arunak — Thu, 25 Aug 2016 02:07:16 GMT

Thanks @Krishna Pandey. Was able to use the default ones to Sync up the users. However I was not sure where there attributes are attached to my users/groups since I could not see anything called dn using jxplorer.

Re: IPA ldap Ambari Sync

WhiteHa — Thu, 25 Aug 2016 02:12:00 GMT

@Arun A K If you have existing admin user in your AD/LDAP, it will be override the existing Ambari admin user. This is known behaviour.

Re: IPA ldap Ambari Sync

arunak — Thu, 25 Aug 2016 02:12:01 GMT

@Krishna Pandey. In anticipation of this, I had created an ambari_admin before the sync and granted the admin role to this new user. However, after sync, I am not able to see the user management option in ambari after logging in as ambari_admin. Is this some configuration issue at my end?

Re: IPA ldap Ambari Sync

orlandoteixeira — Thu, 25 Aug 2016 02:15:02 GMT

@Arun A K, first let's fix your admin. Simply go into the database and do:

update users set ldap_user = 0 where user_name = 'admin';

then reset the password as follows:

https://community.hortonworks.com/questions/449/how-to-reset-ambari-admin-password.html

Here is the output of an ldapsearch on a user in my IPA, to show you where dn is:

# orlando, users, accounts, ipa.example.com
dn: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
displayName: Orlando Teixeira
cn: Orlando Teixeira
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: Teixeira
gecos: Orlando Teixeira
homeDirectory: /home/orlando
krbPwdPolicyReference: cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,
 dc=example,dc=com
mail: orlando@ipa.example.com
krbPrincipalName: orlando@IPA.EXAMPLE.COM
givenName: Orlando
uid: orlando
initials: OT
ipaUniqueID: 3b9308de-895c-11e5-a188-0800274e577d
uidNumber: 1690200001
gidNumber: 1690200001
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test2,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
mepManagedEntry: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
krbLoginFailedCount: 6
krbLastFailedAuth: 20160601185034Z


# orlando, groups, accounts, ipa.example.com
dn: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: orlando
gidNumber: 1690200001
description: User private group for orlando
mepManagedBy: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ipaUniqueID: 3b9b8388-895c-11e5-a188-0800274e577d

Re: IPA ldap Ambari Sync

WhiteHa — Thu, 25 Aug 2016 02:24:03 GMT

The earlier created local Ambari "ambari_admin" user should exist even after ldap sync. Please select "All" as Type in Manage Ambari -> User+Group Management section, your user should show up there.

Re: IPA ldap Ambari Sync

arunak — Thu, 25 Aug 2016 02:40:01 GMT

Thanks @Orlando Teixeira. One last question - what tool do you use to add users to the directory? I have been using ipa user-add and ipa group-add and as a result, if I do a ldap search, I don't find any values for krbPwdPolicyReference: and krbPrincipalName. Is there something I am doing wrong here.

[admin@ipa ec2-user]$ ldapsearch -x  -W "uid=jsmith"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=jsmith
# requesting: ALL
#
# jsmith, users, compat, arunak.com
dn: uid=jsmith,cn=users,cn=compat,dc=example,dc=com
cn: James Smith
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
ipaAnchorUUID:: OklQQTphcnVuYWsuY29tOmVhMzk5OGEwLTY2NDAtMTFlNi05NTExLTEyNzY0N2
 ZhZThlOQ==
gidNumber: 443400011
gecos: James Smith
uidNumber: 443400011
loginShell: /bin/sh
homeDirectory: /home/jsmith
uid: jsmith
# jsmith, users, accounts, example.com
dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
displayName: James Smith
uid: tutui
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: SA
gecos: James Smith
sn: Smith
homeDirectory: /home/jsmith
givenName: James
cn: James Smith
uidNumber: 443400011
gidNumber: 443400011
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

Re: IPA ldap Ambari Sync

orlandoteixeira — Thu, 25 Aug 2016 02:42:33 GMT

@Arun A K I just use the Web Gui that comes with IPA ldap. Keep in mind I am not managing a large user base, but rather just doing small recreations to help customers. I would think the GUI would get cumbersome if you were doing an entire enterprise.

Re: IPA ldap Ambari Sync

arunak — Thu, 25 Aug 2016 02:44:51 GMT

Thanks Again!!. I was prototyping, and hence wasn't looking for something at an enterprise level. 🙂