Support Questions

Find answers, ask questions, and share your expertise

Ambari LDAP Sync Issue

avatar
Expert Contributor

Have a working AD and ldapsearch works from Linux node to AD machine. Trying to setup Ambari to integrate with AD using LDAP with SSl set to 'true' and getting an SSL error. See below.

[root@rgarcia-hdp23201 ~]# ambari-server setup-ldap

Using python  /usr/bin/python2.6

Setting up LDAP properties...

Primary URL* {host:port} (host:389): host:636

Secondary URL {host:port} (host:389): host:636

Use SSL* [true/false] (true): true

User object class* (user): 

User name attribute* (cn): 

Group object class* (group): 

Group name attribute* (cn): 

Group member attribute* (memberUid): 

Distinguished name attribute* (dn): 

Base DN* (OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM): OU=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM

Referral method [follow/ignore] (follow): 

Bind anonymously* [true/false] (false): false

Manager DN* (CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM): CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

Enter Manager Password* : 

Re-enter password: 

Do you want to provide custom TrustStore for Ambari [y/n] (y)?y

TrustStore type [jks/jceks/pkcs12] (jks):jks

Path to TrustStore file (/etc/ambari-server/keys/ldaps-keystore.jks):/etc/ambari-server/keys/ldaps-keystore.jks

Password for TrustStore:

Re-enter password: 

====================

Review Settings

====================

authentication.ldap.managerDn: CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

authentication.ldap.managerPassword: *****

ssl.trustStore.type: jks

ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks

ssl.trustStore.password: *****

Save settings [y/n] (y)? y

Saving...done

Ambari Server 'setup-ldap' completed successfully.

You have new mail in /var/spool/mail/root

[root@rgarcia-hdp23201 ~]# ambari-server restart

Using python  /usr/bin/python2.6

Restarting ambari-server

Using python  /usr/bin/python2.6

Stopping ambari-server

Ambari Server stopped

Using python  /usr/bin/python2.6

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources...

Server PID at: /var/run/ambari-server/ambari-server.pid

Server out at: /var/log/ambari-server/ambari-server.out

Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start....................

Ambari Server 'start' completed successfully.

[root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all

Using python  /usr/bin/python2.6

Syncing with LDAP...

Enter Ambari Admin login: admin

Enter Ambari Admin password: 

Syncing all...ERROR: Exiting with exit code 1. 

REASON: Caught exception running LDAP sync. host:636; nested exception is javax.naming.CommunicationException:
host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
[root@rgarcia-hdp23201 ~]# ambari-server sync-ldap --all
Using python /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: adadmin
Enter Ambari Admin password:
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403:
host:636; nested exception is javax.naming.CommunicationException:
host:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]
1 ACCEPTED SOLUTION

avatar
Expert Contributor

I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari.

ad-users.png

View solution in original post

14 REPLIES 14

avatar
Master Mentor

@rgarcia@hortonworks.com

This may help. Status code 403 responses are the result of the web server being configured to deny access, for some reason, to the requested resource by the client.

[root@testhwx01 ~]# ambari-server stop
Using python  /usr/bin/python2.6
Stopping ambari-server
Ambari Server stopped
[root@testhwx01 ~]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} (xxxx:389):
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (posixAccount): user
User name attribute* (sAMAccountName): sAMAccountName
Group object class* (group):
Group name attribute* (cn):
Group member attribute* (member):
Distinguished name attribute* (dn):
Base DN* (DC=nsabharwal,DC=com):
Referral method [follow/ignore] (follow):
Bind anonymously* [true/false] (false):
Manager DN* (CN=LDAP Access,OU=Service Accounts,DC=nsabharwal,DC=com):
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: CN=LDAP Access,OU=Service Accounts,DC=nsabharwal,DC=com
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)?
Saving...done
Ambari Server 'setup-ldap' completed successfully.
[root@testhwx01 ~]# ambari-server start
Using python  /usr/bin/python2.6
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start....................
Ambari Server 'start' completed successfully.
[root@testhwx01 ~]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login:
Property cannot be blank.
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all...
Completed LDAP Sync.
Summary:
  memberships:
  removed = 0
  created = 0
  users:
  updated = 1
  removed = 0
  created = 10
  groups:
  updated = 0
  removed = 0
  created = 0
Ambari Server 'sync-ldap' completed successfully.
[root@testhwx01 ~]#
Please check the port host:636

avatar
Rising Star

I follow your steps as given above but i got connection refused issue that is mension below

[root@sandbox ~]# ambari-server setup-ldap

Using python /usr/bin/python2

Setting up LDAP properties...

Primary URL* {host:port} (localhost:636): localhost:389

Secondary URL {host:port} :

Use SSL* [true/false] (false):

User object class* (person):

User name attribute* (cn):

Group object class* (posixGroup): group

Group name attribute* (memberof): cn

Group member attribute* (memberUid): member

Distinguished name attribute* (dn): dn

Base DN* (ou=people,dc=hadoop,dc=apache,dc=org):

Referral method [follow/ignore] (ignore): follow

Bind anonymously* [true/false] (false):

Manager DN* (uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org):

Enter Manager Password* :

Re-enter password:

====================

Review Settings

====================

authentication.ldap.managerDn: uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org authentication.ldap.managerPassword: *****

Save settings [y/n] (y)? y Saving...done

Ambari Server 'setup-ldap' completed successfully.

[root@sandbox ~]# ambari-server start

Using python /usr/bin/python2

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources...

Server PID at: /var/run/ambari-server/ambari-server.pid Server out at: /var/log/ambari-server/ambari-server.out Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start....................

Ambari Server 'start' completed successfully.

[root@sandbox ~]# ambari-server sync-ldap --

all Using python /usr/bin/python2

Syncing with LDAP...

Enter Ambari Admin login:

admin Enter Ambari Admin password:

Syncing all..ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. localhost:389; nested exception is javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

[root@sandbox ~]#

avatar
New Contributor

hello Neerraj,

i'm looking for integrating LDAP server with hortonworks sandbox Ambari (HDP 2.5) and ambari-server --version 2.4.0.0-1225 i have tried twice to run "ambari-server setup-ldap" and "ambari-server sync-ldap –all" twice, but i'm keeping having error 403 at the beginning of LDAP Sync. when this error come up, i'm not able anymore to logging into Ambari UI with my Ambari credentials (admin/password). even after reseting my password with "ambari-admin-password-reset". but what i've observed so far is that i could in logging with "maria_dev/maria_dev" credential and also with some new user i have added during LDAP setup server. i was wondering if this could be a password migration tools that is doing the wrong password migration? i have checked the user "admin" in my LDAP database, and i can observe that it's not encrypted in the same way as user like maria_dev or raj_ops!! (see below): can this cause trouble during my ambari-server and LDAP synchronization? or it is due to my ambari-server LDAP setup settings?

==> MARIA_DEV INFORMATIONS
[root@sandbox ~]# ldapsearch -x cn=maria_dev -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=maria_dev
# requesting: ALL
#

# maria_dev, People, hortonworks.com
dn: uid=maria_dev,ou=People,dc=hortonworks,dc=com
uid: maria_dev
cn: maria_dev
sn: maria_dev
mail: maria_dev@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JC94YTFDb0dTMnAvOC4yRCQ3MDkuL1pYRHpnV01vVGIzeWdnNnd
HNUNuM2ZXck82QTBzUGhOZzVFZEpodjF2LmRTQnBEelJUMHpPaFBUdmxZSzhGU3NVZEppS1M2QUFo
OXpqLld1MQ==
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1023
gidNumber: 1023
homeDirectory: /home/maria_dev

# maria_dev, Group, hortonworks.com
dn: cn=maria_dev,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: maria_dev
userPassword:: e2NyeXB0fXg=
gidNumber: 1023

=======> ADMIN INFORMATION:
[root@sandbox ~]# ldapsearch -x cn=admin -b dc=hortonworks,dc=com
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=admin
# requesting: ALL
#

# admin, People, hortonworks.com
dn: uid=admin,ou=People,dc=hortonworks,dc=com
uid: admin
cn: admin
sn: admin
mail: admin@hortonworks.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17099
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1005
gidNumber: 1005
homeDirectory: /home/admin

# admin, Group, hortonworks.com
dn: cn=admin,ou=Group,dc=hortonworks,dc=com
objectClass: posixGroup
objectClass: top
cn: admin
userPassword:: e2NyeXB0fXg=
gidNumber: 1005

# search result
search: 2
result: 0 Success

thanks a lot for your help.

regards.

sidoine.

avatar
Expert Contributor

I was able to sync the LDAP users to Ambari but all of the ldap users are not able to login to Ambari UI. admin/admin local account no longer can login as well. Getting 403 Forbidden errors.

avatar
Master Mentor

Do you have admin user in AD?

avatar
Expert Contributor

Yes, admin user is in AD.

avatar
Rising Star
@rgarcia@hortonworks.com

If the admin user is synchronized from AD, then you will have to update the Ambari DB and update it. You should probably create a backup admin user with different name with Admin privileges in Ambari.

mysql> use ambaricustom

mysql> update users set ldap_user=0 where user_name='admin';

avatar
Expert Contributor

I tried logging in to mysql using the admin/admin account but won't let me in. Also tried root@hostname, same issue.

avatar

I'm having similar issues, but in my case I'm trying to sync with FreeIPA:

[root@hdp23 ambari-server]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} (ipa.hadoop.braccialli:389):
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (posixAccount):
User name attribute* (uid):
Group object class* (posixGroup):
Group name attribute* (cn):
Group member attribute* (memberUid):
Distinguished name attribute* (dn):
Base DN* (cn=accounts,dc=hadoop,dc=braccialli):
Referral method [follow/ignore] : follow
Bind anonymously* [true/false] (false):
Manager DN* (uid=admin,cn=users,cn=accounts,dc=hadoop,dc=braccialli):
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: uid=admin,cn=users,cn=accounts,dc=hadoop,dc=braccialli
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.
[root@hdp23 ambari-server]# ambari-server restart
Using python  /usr/bin/python2.6
Restarting ambari-server
Using python  /usr/bin/python2.6
Stopping ambari-server
Ambari Server stopped
Using python  /usr/bin/python2.6
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start....................
Ambari Server 'start' completed successfully.
[root@hdp23 ambari-server]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: You do not have permissions to access this resource.


from /var/log/ambari-server/ambari-server.log I get:
14 Oct 2015 07:12:31,544  INFO [qtp-client-21] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: cn=accounts,dc=hadoop,dc=braccialli
14 Oct 2015 07:12:31,584 ERROR [qtp-client-21] AmbariLdapAuthoritiesPopulator:70 - Can't get authorities for user admin, he is not present in local DB