RHEL Stand Alone IPA Ambari LDAP Integration

john_kitterman — Tue, 26 Apr 2016 04:02:48 GMT

Greetings,

We're having issues getting Ambari LDAP hooked into an existing RHEL IdM.

[25/Apr/2016:17:38:46 +0000] conn=103047 fd=111 slot=111 connection from 10.72.142.71 to 10.72.142.30 [25/Apr/2016:17:38:46 +0000] conn=103047 op=0 BIND dn="" method=128 version=3 [25/Apr/2016:17:38:46 +0000] conn=103047 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [25/Apr/2016:17:38:46 +0000] conn=103047 op=1 SRCH base="dc=ace,dc=mydomain,dc=com" scope=2 filter="(uid=idmadmin)" attrs=ALL [25/Apr/2016:17:38:46 +0000] conn=103047 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [25/Apr/2016:17:38:46 +0000] conn=103047 op=2 UNBIND [25/Apr/2016:17:38:46 +0000] conn=103047 op=2 fd=111 closed - U1

I opened a ticket with Redhat and they confirmed these logs indicate our client's (Ambari) query, is reaching the IdM, but for some reason the session is not moving forward after the and is closing. The following is from Ambari logs but does not paint a clear picture for me:

25 Apr 2016 17:38:44,912 WARN [qtp-client-24] ServletHandler:563 - /api/v1/ldap_sync_events org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2 at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243) at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196) at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116) at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90) at org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:53) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61) at org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:60) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:209) at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:198) at org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:132) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:745)

Any help would be appreciated.

Re: RHEL Stand Alone IPA Ambari LDAP Integration

pminovic — Tue, 26 Apr 2016 09:32:55 GMT

Your BIND dn is empty. I did Ambari sync with Free IPA a few months ago. I created a system account for binding to LDAP using ldapmodify as explained here, and used that for my BIND dn. Also check other properties set during "ambari-server setup-ldap" and make sure they are in sync with the ones set by IPA. You can use "ipa user-find" to inspect the structure of your users. To change some properties in Ambari you can re-run setup-ldap or set properties directly in /etc/ambari-server/conf/ambari.properties and restart ambari-server.

Re: RHEL Stand Alone IPA Ambari LDAP Integration

john_kitterman — Wed, 27 Apr 2016 00:14:06 GMT

Thanks for your response, @Predrag Minovic. This pointed me in the right direction and I successfully pulled in users/groups.

question Re: RHEL Stand Alone IPA Ambari LDAP Integration in Archives of Support Questions (Read Only)

RHEL Stand Alone IPA Ambari LDAP Integration

Re: RHEL Stand Alone IPA Ambari LDAP Integration

Re: RHEL Stand Alone IPA Ambari LDAP Integration