Created 07-20-2016 09:31 AM
Few questions on Ambari for LDAP or Active Directory Authentication:
1. When users are synced into Ambari , are the passwords also stored in the Ambari's local DB along with the usernames
2. When a user logs into Ambari , is there a way for the user to change his password ?
3. When we create a user in AD , we set the property that "user must change password at next logon" , however after the ldpa-sync, the user cannot login into ambari . what could be the problem ? Also, when we go back to AD and untick this option (" user must change password at next logon") , the user is now able to login into ambari ?
Any pointers would help
Thanks
Created 07-20-2016 09:38 AM
1. Yes, it stores the Manager DN and Manager Password. When you do "ambari-server sync-ldap --all" to sync users and groups, it will ask for just Ambari Admin credentials.
2. I see "cannot change password" message when I hover over Password section for ldap user in "Manage Ambari" section. I think User password should be changed via interface provided to them which will reflect in AD. Later we can sync LDAP from Ambari Server.
3. When in AD we check the option to change password at first logon, it will prompt user to change the password at first login and then proceed. Ambari does not facilitate/provide such interface to change password when prompted and hence it will fail as per my understanding.
Refer screenshot: screen-shot-2016-07-20-at-32931-pm.png
Created 07-20-2016 09:38 AM
1. Yes, it stores the Manager DN and Manager Password. When you do "ambari-server sync-ldap --all" to sync users and groups, it will ask for just Ambari Admin credentials.
2. I see "cannot change password" message when I hover over Password section for ldap user in "Manage Ambari" section. I think User password should be changed via interface provided to them which will reflect in AD. Later we can sync LDAP from Ambari Server.
3. When in AD we check the option to change password at first logon, it will prompt user to change the password at first login and then proceed. Ambari does not facilitate/provide such interface to change password when prompted and hence it will fail as per my understanding.
Refer screenshot: screen-shot-2016-07-20-at-32931-pm.png
Created 07-20-2016 01:10 PM
@Krishna Pandey is mostly correct, however:
For #1, though Ambari does store the manager DN and password, it does not store the synced users passwords. Because of this, Ambari relies on the LDAP server to validate authentication for these users.
For #2 and #3, Ambari has no ability to manage passwords in the LDAP server. Therefore if a user wants to change their password or is required to change their password, they need to use some other facility. With this, if the user must change their password before authenticating, then authenticate will fail until the password is changed using some other facility. I assume that if the user is no longer required to change their password, authentication should work again.