Created 10-14-2015 01:11 AM
Have a working AD and ldapsearch works from Linux node to AD machine. Trying to setup Ambari to integrate with AD using LDAP with SSl set to 'true' and getting an SSL error. See below.
[root@rgarcia-hdp23201 ~]# ambari-server setup-ldap Using python /usr/bin/python2.6 Setting up LDAP properties... Primary URL* {host:port} (host:389): host:636 Secondary URL {host:port} (host:389): host:636 Use SSL* [true/false] (true): true User object class* (user): User name attribute* (cn): Group object class* (group): Group name attribute* (cn): Group member attribute* (memberUid): Distinguished name attribute* (dn): Base DN* (OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM): OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM Referral method [follow/ignore] (follow): Bind anonymously* [true/false] (false): false Manager DN* (CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM): CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM Enter Manager Password* : Re-enter password: Do you want to provide custom TrustStore for Ambari [y/n] (y)?y TrustStore type [jks/jceks/pkcs12] (jks):jks Path to TrustStore file (/etc/ambari-server/keys/ldaps-keystore.jks):/etc/ambari-server/keys/ldaps-keystore.jks Password for TrustStore: Re-enter password: ==================== Review Settings ==================== authentication.ldap.managerDn: CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM authentication.ldap.managerPassword: ***** ssl.trustStore.type: jks ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks ssl.trustStore.password: ***** Save settings [y/n] (y)? y Saving...done Ambari Server 'setup-ldap' completed successfully. You have new mail in /var/spool/mail/root [root@rgarcia-hdp23201 ~]# ambari-server restart Using python /usr/bin/python2.6 Restarting ambari-server Using python /usr/bin/python2.6 Stopping ambari-server Ambari Server stopped Using python /usr/bin/python2.6 Starting ambari-server Ambari Server running with administrator privileges. Organizing resource files at /var/lib/ambari-server/resources... Server PID at: /var/run/ambari-server/ambari-server.pid Server out at: /var/log/ambari-server/ambari-server.out Server log at: /var/log/ambari-server/ambari-server.log Waiting for server start.................... Ambari Server 'start' completed successfully. [root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all Using python /usr/bin/python2.6 Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing all...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. host:636; nested exception is javax.naming.CommunicationException: host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)] [root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all Using python /usr/bin/python2.6 Syncing with LDAP... Enter Ambari Admin login: adadmin Enter Ambari Admin password: Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: host:636; nested exception is javax.naming.CommunicationException: host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
Created 10-15-2015 06:09 PM
I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari.
Created 10-15-2015 03:43 AM
@Guilherme Braccialli here is the config we used for IPA. When providing the Ambari admin user/pass, this needs to exist in your IPA. So in my example I passes in admin/hortonworks. If you are passing in admin/admin it probably won't work:
https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Ambari.md#authentication-via-ldap
Note that group memberships won't work since IPA uses openLDAP which does not expose the DN. @Paul Codding, @David Streever, @Sean Roberts and I found this the hard way. See BUG-45536 for more info (and up vote!)
Created 10-16-2015 03:13 AM
Thanks @abajwa@hortonworks.com, yes I'm following your guide. As you pointed the problem was wrong password, I was using LDAP password instead of ambari one.
This group membership issue affects only ambari or also affects Ranger usersync?
Created 10-15-2015 05:17 PM
Ambari is using PostgreSQL and I've updated the active flag of local "admin" user in the users table and now am able to login as admin/admin. Now the AD users appear in the Ambari Users list. However, if I try to login as one of the AD users, its giving this error Unable to sign in. Invalid username/password combination.
Created 09-08-2017 03:14 PM
hello,
Im facing the same issue error 403 as you earlier and i'm not able to logging with my ambari admin logging after Ambari and LDAP sync failed.
please, i'm looking for integrating LDAP server with hortonworks sandbox Ambari (HDP 2.5) and ambari-server --version 2.4.0.0-1225 i have tried twice to run "ambari-server setup-ldap" and "ambari-server sync-ldap –all" twice, but i'm keeping having error 403 at the beginning of LDAP Sync. when this error come up, i'm not able anymore to logging into Ambari UI with my Ambari credentials (admin/password). even after reseting my password with "ambari-admin-password-reset". but what i've observed so far is that i could in logging with "maria_dev/maria_dev" credential and also with some new user i have added during LDAP setup server. i was wondering if this could be a password migration tools that is doing the wrong password migration? i have checked the user "admin" in my LDAP database, and i can observe that it's not encrypted in the same way as user like maria_dev or raj_ops!! (see below): can this cause trouble during my ambari-server and LDAP synchronization? or it is due to my ambari-server LDAP setup settings?
==> MARIA_DEV INFORMATIONS
[root@sandbox ~]# ldapsearch -x cn=maria_dev -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=maria_dev
# requesting: ALL
#
# maria_dev, People, hortonworks.com
dn: uid=maria_dev,ou=People,dc=hortonworks,dc=com
uid: maria_dev
cn: maria_dev
sn: maria_dev
mail: maria_dev@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JC94YTFDb0dTMnAvOC4yRCQ3MDkuL1pYRHpnV01vVGIzeWdnNnd
HNUNuM2ZXck82QTBzUGhOZzVFZEpodjF2LmRTQnBEelJUMHpPaFBUdmxZSzhGU3NVZEppS1M2QUFo
OXpqLld1MQ==
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1023
gidNumber: 1023
homeDirectory: /home/maria_dev
# maria_dev, Group, hortonworks.com
dn: cn=maria_dev,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: maria_dev
userPassword:: e2NyeXB0fXg=
gidNumber: 1023
=======> ADMIN INFORMATION:
[root@sandbox ~]# ldapsearch -x cn=admin -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=admin
# requesting: ALL
#
# admin, People, hortonworks.com
dn: uid=admin,ou=People,dc=hortonworks,dc=com
uid: admin
cn: admin
sn: admin
mail: admin@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/admin
# admin, Group, hortonworks.com
dn: cn=admin,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
userPassword:: e2NyeXB0fXg=
gidNumber: 1005
# search result
search: 2
result: 0 Success
thanks a lot for your help.
regards.
sidoine.
Created 10-15-2015 06:09 PM
I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari.