question How do I remove LDAP accounts from Ambari in Archives of Support Questions (Read Only)

How do I remove LDAP accounts from Ambari

SQLShaw — Fri, 06 Nov 2015 02:06:40 GMT

I loaded LDAP accounts into Ambari and now need to remove them and re-sync. How do I remove the accounts?

Re: How do I remove LDAP accounts from Ambari

nsabharwal — Fri, 06 Nov 2015 02:21:53 GMT

@Scott Shaw

I believe you need to clean it up from ambari database.

for example:

[root@nsfed01 ~]# psql dbname username

Password for user ambari:

psql (8.4.20)

Type "help" for help.

ambari2112=> \dt

ambari2112=> select * from users where ldap_user=1;

---------+--------------+-----------+-----------+-------------+---------------+--------+-----------------------

(0 rows)

delete from users where ldap_user=1;

I aambari2112=> select * from users;

Re: How do I remove LDAP accounts from Ambari

pcodding — Fri, 06 Nov 2015 02:42:08 GMT

Scott, you can use the API to remove them:

curl --insecure -u admin:$PASSWORD -H 'X-Requested-By: ambari' -X DELETE http://$AMBARI_HOST:8080/api/v1/users/paul

Re: How do I remove LDAP accounts from Ambari

nsabharwal — Fri, 06 Nov 2015 02:43:51 GMT

@Paul Codding This is helpful. Thanks! I believe , delete statement is not good idea to run..Comments?

Re: How do I remove LDAP accounts from Ambari

SQLShaw — Fri, 06 Nov 2015 02:50:43 GMT

We went down the path of deleting directly from Oracle but ran into a bunch of relational constraints.

Re: How do I remove LDAP accounts from Ambari

nsabharwal — Fri, 06 Nov 2015 02:53:43 GMT

Could you share delete statements for oracle?

@Scott Shaw

Re: How do I remove LDAP accounts from Ambari

SQLShaw — Fri, 06 Nov 2015 04:13:27 GMT

We ended up going with Paul's solution and didn't try to delete from Oracle. Thanks for all your input and help!

Re: How do I remove LDAP accounts from Ambari

pcodding — Fri, 06 Nov 2015 05:53:00 GMT

I've created an internal JIRA to support bulk deletion from the CLI

Re: How do I remove LDAP accounts from Ambari

nsabharwal — Wed, 25 Nov 2015 10:37:02 GMT

@Paul Codding Is it ok to follow this approach?

Re: How do I remove LDAP accounts from Ambari

nsabharwal — Wed, 25 Nov 2015 10:37:45 GMT

@Paul Codding Do you have jira number? Is it internal?

Re: How do I remove LDAP accounts from Ambari

mrossign — Tue, 10 Sep 2019 10:36:14 GMT

If like me, you made a mistake for instance loading all your LDAP users and groups with "ambari-server sync-ldap --all" and you realize that you in fact only wanted some groups/users, you can re-run the "ambari-server setup-ldap" wizard pointing to the DN of only one of your users to keep as the search base. Then run "ambari-server sync-ldap --existing" to remove all existing LDAP users and groups except the single one to keep. Then reset the correct search base and add the subset of groups/users you want using "ambari-server sync-ldap --users users.txt --groups groups.txt". This trick saved my life by automatically and easily removing roughly 15000 LDAP users and 1000 LDAP groups 🙂

Re: How do I remove LDAP accounts from Ambari

pmadiot — Mon, 23 Mar 2020 11:20:38 GMT

hello,

This wokarround didn't work for me.

Configured the LDAP setup so that the BaseDN matches only 1 entry.

calling "ambari-server sync-ldap --existing" didn't remove all existing LDAP Users and groups rather it deleted 2 only.

may be i missed something, but after running the setup do we need to restart ambari-server?

What should be the expected behaviour when runing the "ambari-server sync-ldap --all" and the BaseDN pointing to a single AD entry?

The doc states the following for option '--exisiting' : "Users will be removed from Ambari if they no
longer exist in LDAP, and group membership in Ambari will be updated to match LDAP". Since AD users still exist that would have no effect to remove the users even if baseDN points to single entry.

What we are looking for (HDP2.6.5) is to remove all LDAP synced users other than these specified in --users users.txt and --groups group.txt.

It looks like there is no such tool and we have to resort to manually use ambari APIs somehow.
One thing i'm not sure is how are the lowercased alias being handled, since during the first sync we had the default value 'true' to force lower case, and now changed it to 'false'

looking forward your insights