Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Ambari LDAP user/group sync failed

Expert Contributor

I've tried to integrate Ambari with AD. I was able to integrate that without encrypting passwords, but once I tried to encrypt passwords for the sake of security, I stuck at user/group sync step. I've followed the following manual.

After passing the encryption step, I tried to synchronise user/groups with using "ambari-server sync-ldap --all". Unfortunately, that command failed and once I checked the ambari-server log, there was an error as "Configuration:1850 - Cannot read password for alias = ${alias=ambari.ldap.manager.password}". Is this some kind of bug or have I missed any step?

FYI I am using HDP 2.5.0 and Ambari 2.4.1.


Expert Contributor

I have managed to solve the issue. It was related to have an escaping characters in the provided password. I've used a simpler password and everything is working now.

View solution in original post


Super Guru

@Ali Nazemian

I see this is a BUG Please check the link -

Below is the HWX bug url -

There is Patch provided to fix this issue.

Expert Contributor

Has it been fixed already in 2.4.1 version?

Master Mentor

@Ali Nazemian

You are using 2.4.1 where this can happen when the encrypted password is null/empty.

      if (result != null) {
        password = new String(result);
      } else {
        LOG.error("Cannot read password for alias = " + aliasStr);

- So i am suspecting that your Password encryption was not done successfully. So try the encryption again. Or try removing the encryption and then freshly enable the password encryption:

(OLD Doc but should work)

- And do not forget to restart ambari server after enabling the encryption.

Expert Contributor

Can it be related to having special characters in the provided password?


A special character should not really affect this, however it may depend on how special that character is. If it is just a normal ASCII letter, number, or punctuation, it will be fine. However if the character is not in the western latin character set, it may not have a valid translation. But I do not think that you would see the error message you posted.

That said, it is possible that your key did not make it into the Ambari credential store. Yo can check that by listing the keys in the credential store:

$JAVA_HOME/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS

In my case $JAVA_HOME is /usr/jdk64/jdk1.8.0_77, so you might want to call the command using something like

/usr/jdk64/jdk1.8.0_77/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS

After running this command, you will be prompted for a password. That password is the master password you set when enabling this feature.


# /usr/jdk64/jdk1.8.0_77/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS
Enter keystore password:

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 2 entries

ambari.ldap.manager.password, Jan 4, 2017, SecretKeyEntry,
ambari.db.password, Jan 4, 2017, SecretKeyEntry,

Here we see that the ambari.ldap.manager.password alias exists.

In my, we see that the ambari.ldap.manager.password alias is assigned to the LDAP manager password property:


If your credential store does not have the ambari.ldap.manager.password entry, then we should be able to add it by rerunning the ambari-server setup-ldap command. Or you can try to manually add the password to the credential store using the keytool command like:

$JAVA_HOME/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS 

For example,

/usr/jdk64/jdk1.8.0_77/bin/keytool -importpass -alias ambari.ldap.manager.password -keystore /var/lib/ambari-server/keys/credentials.jceks -storetype JCEKS
Enter keystore password:
Enter the password to be stored:
Re-enter password:
Enter key password for <ambari.ldap.manager.password>
	(RETURN if same as keystore password):

I entered the master password at the first prompt and the LDAP manager password for the next 2 prompts. I simply hit the return key for the last prompt.

Maybe this will help.

Expert Contributor

Thank you very much, but it was because of having escaping characters inside the password. I saw kind of similar issues for using complex passwords for other HDF and HDP applications as well.

Expert Contributor

I have managed to solve the issue. It was related to have an escaping characters in the provided password. I've used a simpler password and everything is working now.