question Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users. in Archives of Support Questions (Read Only)

Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

sbradshaw — Thu, 05 Nov 2015 07:37:03 GMT

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

pcodding — Fri, 06 Nov 2015 23:10:43 GMT

Please refer to this doc note on how to disable pagination in Ambari 2.1.1+: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configuring_ambari_for_ldap_or_active_directory_authentication.html

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

amiller — Sat, 07 Nov 2015 01:15:16 GMT

Wow, good catch. Unfortunately I'm still getting the same error with pagination disabled, so maybe it's a different feature that ApacheDS doesn't support:

REASON: Caught exception running LDAP sync. [LDAP: error code 12 - Unsupport critical control: 1.2.840.113556.1.4.319]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unsupport critical control: 1.2.840.113556.1.4.319]; remaining name 'dc=hadoop,dc=apache,dc=org'

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

pcodding — Sat, 07 Nov 2015 01:53:02 GMT

This looks familiar: https://jira.atlassian.com/browse/CWD-1109

What Ambari version are you using Alex?

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

amiller — Tue, 10 Nov 2015 10:56:22 GMT

Here's a complete guide, thanks to @Paul Codding's advice to disable pagination. Requires HDP Sandbox 2.3.2 or later (Ambari 2.1.1+)

1. In Ambari, start the demo LDAP server (Knox gateway is not required):

Knox > Service Actions > Start Demo LDAP

2. Follow the Ambari Security Guide to enable LDAP (press Enter for blank values)...

[root@sandbox ~]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} : sandbox.hortonworks.com:33389
Secondary URL {host:port} :
Use SSL* [true/false] (false): false
User object class* (posixAccount): person
User name attribute* (uid): uid
Group object class* (posixGroup): groupofnames
Group name attribute* (cn): cn
Group member attribute* (memberUid): member
Distinguished name attribute* (dn): dn
Base DN* : dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] :
Bind anonymously* [true/false] (false): false
Manager DN* : uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* : guest-password
Re-enter password: guest-password
====================
Review Settings
====================
authentication.ldap.managerDn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.

3. Configure Ambari to disable pagination, and restart Ambari Server:

[root@sandbox ~]# echo "authentication.ldap.pagination.enabled=false" >> /etc/ambari-server/conf/ambari.properties
[root@sandbox ~]# ambari-server restart

4. When Ambari startup completes, the objects in /etc/knox/conf/users.ldif are available in Ambari. Here’s a quick reference:

admin / admin-password
guest / guest-password
sam / sam-password
tom / tom-password

Note: LDAP accounts with the same names as local accounts will replace the local accounts. The admin password will now be 'admin-password' instead of 'admin'

5. To customize the demo LDAP directory:

In Ambari: Knox > Service Actions > Stop Demo LDAP
Edit /etc/knox/conf/users.ldif
Start the LDAP server manually (Ambari will overwrite users.ldif)

nohup su - knox -c 'java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf' &

Synchronize LDAP Users & Groups (see console output below)...

[root@sandbox ~]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password: admin-password
Syncing all...

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 2
  users:
    updated = 0
    removed = 1
    created = 3
  groups:
    updated = 2
    removed = 0
    created = 0

Ambari Server 'sync-ldap' completed successfully.

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

amiller — Tue, 10 Nov 2015 10:56:23 GMT

Ambari attempts to determine whether the demo LDAP server supports paged results, which it does not, so it responds with UNAVAILABLE_CRITICAL_EXTENSION.

The demo LDAP server in Knox 0.6.0 (HDP 2.3.0) is based on ApacheDS 2.0.0-M15. Support for paged results was added in version 2.0.0-M13 (DIRSERVER-434), so I'm not sure why this wouldn't work. It's unlikely to be solved by configuration though.

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

amiller — Tue, 10 Nov 2015 10:58:25 GMT

I was mistakenly using the HDP 2.3.0 Sandbox, which uses Ambari 2.1.0. Your advice worked perfectly in the latest version. Thanks!

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

WhiteHa — Wed, 22 Jun 2016 16:07:52 GMT

@Alex Miller I am having trouble with syncing ldap, getting 403 bad credentials but I am able to login using same credentials to the dashboard. Note: Now admin password is changed to ldap's admin password. Exact error below: "Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: You do not have permissions to access this resource."

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

lakshmi_jammu — Sun, 04 Aug 2019 11:28:54 GMT

Hi Pandey,

Have you identified the root cause for this issue? Do you remember?

The error is same for Ambari 2.6.1.5.