question Re: Can we automatically sync ldap users into ambari ? in Archives of Support Questions (Read Only)

Can we automatically sync ldap users into ambari ?

ashneesharma88 — Sun, 25 Dec 2016 02:57:52 GMT

Is there any way to auto sync ldap users for ambari ?

Re: Can we automatically sync ldap users into ambari ?

sshimpi — Sun, 25 Dec 2016 02:59:42 GMT

@Ashnee Sharma

Please check below and let me know if you are looking for the same -

Installed expect first:

# yum install expect -y (or use your Linux distribution's package manager if you're not Using CentOS or RHEL)

Then create and run the following expect script:

# cat /tmp/ambari-server-sync-ldap-unattended.sh

#!/usr/bin/expect 
set timeout 20
spawn /usr/sbin/ambari-server sync-ldap --groups=/etc/ambari-server/ambari-groups.csv
expect "Enter Ambari Admin login:" { send "admin\n" }
expect "Enter Ambari Admin password:" { send "notTheRealPasswordOfCourse\n" }
interact

If customer wants password to NOT be in plain text, ask them to look at something like Ansible which handles decrypting passwords from a file.

Let me know if that works for you.

Re: Can we automatically sync ldap users into ambari ?

cstanca — Sun, 25 Dec 2016 04:50:26 GMT

@Ashnee Sharma

Additional to what Sagar provided, be aware that in case of Oracle Directory Server Enterprise 11g (there are a few more LDAPs with the same issue), when synchronizing LDAP users/groups, Ambari uses LDAP results paging control to sync large number of LDAP objects. If that is your case, then set authentication.ldap.pagination.enabled property to false in the/etc/ambari-server/conf/ambari-properties file to disable result paging controls. This will limit the maximum number of entities that can be imported at any given time to the maximum result limit of the LDAP server. To work around this, import sets of users or groups using the -users and -groups as Sagar already included in his commands.

Also, when syncing ldap, local user accounts with matching username will switch to LDAP type, which means their authentication will be against the external LDAP and not against the Local Ambari user store. Be advised!

LDAP sync only syncs up-to-1000 users. If your LDAP contains over 1000 users and you plan to import over 1000 users, you must use the --users option when syncing and specify a filtered list of users to perform import in batches. This is another thing to be aware.

Re: Can we automatically sync ldap users into ambari ?

ashneesharma88 — Wed, 28 Dec 2016 16:50:05 GMT

I tried the script and its working in my test env. Is it feasible to deploy in prod ?

Any disadvantages?

Re: Can we automatically sync ldap users into ambari ?

sshimpi — Wed, 28 Dec 2016 17:06:08 GMT

@Ashnee Sharma

There are no drawback apart from exposing script to public. Just make sure you do not specify password as plain text in script.

Re: Can we automatically sync ldap users into ambari ?

cstanca — Thu, 29 Dec 2016 00:28:30 GMT

@Ashnee Sharma

There was an issue and for that you submitted a question separately. It is good to document here as well, for other sake that may be encounter a similar problem. Please post it.

I found it. Based on the original response, you encountered an issue, then you asked this question: https://community.hortonworks.com/questions/74245/how-to-disable-pagination-for-ambari-ldap.html