Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

Ambari LDAP authentication from multiple sub domains

Highlighted

Ambari LDAP authentication from multiple sub domains

New Contributor

We have Ambari LDAP configured with one of the sub domain and all users from that domain is available in ambari after the ldap sync.

Now users from another sub domain need access to Ambari console.

How do we enable the LDAP with other sub domains.

Below are the current LDAP configuration in /etc/ambari-server/conf/ambari.properties

------------------------

ambari.ldap.isConfigured=true

authentication.ldap.baseDn=DC=sub1,DC=ad,DC=abc,DC=com

authentication.ldap.bindAnonymously=false

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr=member

authentication.ldap.groupNamingAttr=cn

authentication.ldap.groupObjectClass=group

authentication.ldap.managerDn=Hadoop-AD-Admin-devl@sub1.ad.abc.com authentication.ldap.managerPassword=${alias=ambari.ldap.manager.password} authentication.ldap.primaryUrl=sub1.ad.abc.com:389

authentication.ldap.referral=follow

authentication.ldap.useSSL=false

authentication.ldap.userObjectClass=user

authentication.ldap.usernameAttribute=sAMAccountName

client.security=ldap

------------------------

All users from "sub1.ad.abc.com" are available in Amabri.

Need access for users from "sub2.ad.abc.com" to Amabri

Ambari server Version: 2.4.0.1

2 REPLIES 2

Re: Ambari LDAP authentication from multiple sub domains

Re: Ambari LDAP authentication from multiple sub domains

New Contributor

I tried configuring authentication.ldap.secondaryUrl and did ldap sync --all.

Ambari Server 'sync-ldap' completed successfully.

But i could not find any users/groups from secondary domain and there were no logs about the sync (like failed/success/ if any errors)

Any way we can validate LDAP sync ?