question ambari-server sync-ldap no longer working in Archives of Support Questions (Read Only)

ambari-server sync-ldap no longer working

anorton — Thu, 03 Aug 2017 23:35:38 GMT

I was able to sync LDAP at one point with Ambari. I'm not sure exactly when it broke. The users were synced before it broke all work fine and show up in Ambari as being Type: LDAP. When I try to run ambari-server sync-ldap with either the --existing option or --groups I get the same output complaining about the hostname. I have verified that hostname -f shows the correct FQDN and it matches what is output in the results of the command below.

ambari-server sync-ldap --existing

Using python /usr/bin/python

Syncing with LDAP...

Enter Ambari Admin login: adminusername

Enter Ambari Admin password:

Syncing existing.ERROR: Exiting with exit code 1.

REASON: Sync event creation failed. Error details: hostname '127.0.0.1' doesn't match u'hiddenhostname.domain.com'

Re: ambari-server sync-ldap no longer working

Shelton — Thu, 03 Aug 2017 23:40:39 GMT

@Aaron Norton

What are the host entries in your ambari server /etc/hosts ?
Is the LDAP server entry correct ?

Please revert

Re: ambari-server sync-ldap no longer working

anorton — Thu, 03 Aug 2017 23:51:23 GMT

my /etc/hosts file only contains the 2 standard localhost lines. I have verified that both forward and revers DNS works correctly for the Ambari server and the LDAP server. I did try adding both of them into the /etc/hosts file in the format of "IP FQDN shortname" and that did not seem to make any difference at all. I looked at the ambari.properties file and it has the correct LDAP hostname in it.

Re: ambari-server sync-ldap no longer working

berry_osterlund — Wed, 23 Aug 2017 19:54:17 GMT

I just got the exact same error. And the problem came after a “yum update” on a Redhat 7 server. I tested the synchronization just before I upgraded the OS and it worked fine. After the upgrade, I get the same error. I’ll post an answer once I find a solution to the problem

Re: ambari-server sync-ldap no longer working

berry_osterlund — Thu, 24 Aug 2017 17:30:45 GMT

@Aaron Norton

One way you can work around this problem is to change "SERVER_API_HOST = '127.0.0.1'" in /usr/lib/python2.6/site-packages/ambari_server/serverUtils.py so it points to your server with the full hostname. That will work around the problem with SSL that we see.

Re: ambari-server sync-ldap no longer working

anorton — Thu, 24 Aug 2017 19:15:10 GMT

Yes that workaround does work. Will wait for a fix before I Accept the solution.

Re: ambari-server sync-ldap no longer working

berry_osterlund — Fri, 25 Aug 2017 13:13:39 GMT

So, the main reason we see this error is because the default behaviour for ssl cert verification have changed in python. If you take a look in /etc/python/cert-verification.cfg, you will see that in python-libs-2.7.5-34, the “verify=disable” value was default. But after upgrade of that package to python-libs-2.7.5-58, the value is now “verify=platform_default”. And at least in our system, that means enabled. After changing this back to “verify=disable”, the synchronization works again without having to do the workaround I wrote about earlier. I have verified this on a non-upgraded system by changing it to enabled and that also results in errors for the user synchronization

This error also affect LLAP if you are running that. After upgrade, LLAP wont start because of cert verifications. You will get a “[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)” error message. Changing the verify parameter described above also fixes that problem.

Re: ambari-server sync-ldap no longer working

anorton — Fri, 25 Aug 2017 21:46:39 GMT

Thanks for the detailed explanation Berry!