Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari LDAP Sync Issue

avatar
Expert Contributor

Have a working AD and ldapsearch works from Linux node to AD machine. Trying to setup Ambari to integrate with AD using LDAP with SSl set to 'true' and getting an SSL error. See below.

[root@rgarcia-hdp23201 ~]# ambari-server setup-ldap

Using python  /usr/bin/python2.6

Setting up LDAP properties...

Primary URL* {host:port} (host:389): host:636

Secondary URL {host:port} (host:389): host:636

Use SSL* [true/false] (true): true

User object class* (user): 

User name attribute* (cn): 

Group object class* (group): 

Group name attribute* (cn): 

Group member attribute* (memberUid): 

Distinguished name attribute* (dn): 

Base DN* (OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM): OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM

Referral method [follow/ignore] (follow): 

Bind anonymously* [true/false] (false): false

Manager DN* (CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM): CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

Enter Manager Password* : 

Re-enter password: 

Do you want to provide custom TrustStore for Ambari [y/n] (y)?y

TrustStore type [jks/jceks/pkcs12] (jks):jks

Path to TrustStore file (/etc/ambari-server/keys/ldaps-keystore.jks):/etc/ambari-server/keys/ldaps-keystore.jks

Password for TrustStore:

Re-enter password: 

====================

Review Settings

====================

authentication.ldap.managerDn: CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

authentication.ldap.managerPassword: *****

ssl.trustStore.type: jks

ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks

ssl.trustStore.password: *****

Save settings [y/n] (y)? y

Saving...done

Ambari Server 'setup-ldap' completed successfully.

You have new mail in /var/spool/mail/root

[root@rgarcia-hdp23201 ~]# ambari-server restart

Using python  /usr/bin/python2.6

Restarting ambari-server

Using python  /usr/bin/python2.6

Stopping ambari-server

Ambari Server stopped

Using python  /usr/bin/python2.6

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources...

Server PID at: /var/run/ambari-server/ambari-server.pid

Server out at: /var/log/ambari-server/ambari-server.out

Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start....................

Ambari Server 'start' completed successfully.

[root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all

Using python  /usr/bin/python2.6

Syncing with LDAP...

Enter Ambari Admin login: admin

Enter Ambari Admin password: 

Syncing all...ERROR: Exiting with exit code 1. 

REASON: Caught exception running LDAP sync. host:636; nested exception is javax.naming.CommunicationException:
host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
[root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all
Using python /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: adadmin
Enter Ambari Admin password:
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403:
host:636; nested exception is javax.naming.CommunicationException:
host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
1 ACCEPTED SOLUTION

avatar
Expert Contributor

I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari.

ad-users.png

View solution in original post

14 REPLIES 14

avatar

@Guilherme Braccialli here is the config we used for IPA. When providing the Ambari admin user/pass, this needs to exist in your IPA. So in my example I passes in admin/hortonworks. If you are passing in admin/admin it probably won't work:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Ambari.md#authentication-via-ldap

Note that group memberships won't work since IPA uses openLDAP which does not expose the DN. @Paul Codding, @David Streever, @Sean Roberts and I found this the hard way. See BUG-45536 for more info (and up vote!)

avatar

Thanks @abajwa@hortonworks.com, yes I'm following your guide. As you pointed the problem was wrong password, I was using LDAP password instead of ambari one.

This group membership issue affects only ambari or also affects Ranger usersync?

avatar
Expert Contributor

Ambari is using PostgreSQL and I've updated the active flag of local "admin" user in the users table and now am able to login as admin/admin. Now the AD users appear in the Ambari Users list. However, if I try to login as one of the AD users, its giving this error Unable to sign in. Invalid username/password combination.

avatar
New Contributor

hello,

Im facing the same issue error 403 as you earlier and i'm not able to logging with my ambari admin logging after Ambari and LDAP sync failed.

please, i'm looking for integrating LDAP server with hortonworks sandbox Ambari (HDP 2.5) and ambari-server --version 2.4.0.0-1225 i have tried twice to run "ambari-server setup-ldap" and "ambari-server sync-ldap –all" twice, but i'm keeping having error 403 at the beginning of LDAP Sync. when this error come up, i'm not able anymore to logging into Ambari UI with my Ambari credentials (admin/password). even after reseting my password with "ambari-admin-password-reset". but what i've observed so far is that i could in logging with "maria_dev/maria_dev" credential and also with some new user i have added during LDAP setup server. i was wondering if this could be a password migration tools that is doing the wrong password migration? i have checked the user "admin" in my LDAP database, and i can observe that it's not encrypted in the same way as user like maria_dev or raj_ops!! (see below): can this cause trouble during my ambari-server and LDAP synchronization? or it is due to my ambari-server LDAP setup settings?

==> MARIA_DEV INFORMATIONS
[root@sandbox ~]# ldapsearch -x cn=maria_dev -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=maria_dev
# requesting: ALL
#

# maria_dev, People, hortonworks.com
dn: uid=maria_dev,ou=People,dc=hortonworks,dc=com
uid: maria_dev
cn: maria_dev
sn: maria_dev
mail: maria_dev@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JC94YTFDb0dTMnAvOC4yRCQ3MDkuL1pYRHpnV01vVGIzeWdnNnd
HNUNuM2ZXck82QTBzUGhOZzVFZEpodjF2LmRTQnBEelJUMHpPaFBUdmxZSzhGU3NVZEppS1M2QUFo
OXpqLld1MQ==
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1023
gidNumber: 1023
homeDirectory: /home/maria_dev

# maria_dev, Group, hortonworks.com
dn: cn=maria_dev,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: maria_dev
userPassword:: e2NyeXB0fXg=
gidNumber: 1023

=======> ADMIN INFORMATION:
[root@sandbox ~]# ldapsearch -x cn=admin -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=admin
# requesting: ALL
#

# admin, People, hortonworks.com
dn: uid=admin,ou=People,dc=hortonworks,dc=com
uid: admin
cn: admin
sn: admin
mail: admin@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/admin

# admin, Group, hortonworks.com
dn: cn=admin,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
userPassword:: e2NyeXB0fXg=
gidNumber: 1005

# search result
search: 2
result: 0 Success

thanks a lot for your help.

regards.

sidoine.

avatar
Expert Contributor

I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari.

ad-users.png