Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari - ldap synced users not linked to their groups

Highlighted

Ambari - ldap synced users not linked to their groups

New Contributor

I'm trying to sync my ambari with my openldap server. imprting users and groups is working fine and

i can connect to ambari with created users but users are not linked to their groups as configured in ldap.


Example of my user.ldif

dn: uid=ksad,ou=users,dc=centos,dc=hortonworkscluster,dc=com
uid: ksad
cn: karim sad
sn: sad
givenName: karim
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
homeDirectory: /home/ksad
uidNumber: 4000
gidNumber: 4000
mail: karim.sad@example.com
userPassword: ME1r3buywqs=

Example of my group.ldif

dn: cn=admins,ou=groups,dc=centos,dc=hortonworkscluster,dc=com
objectClass: posixGroup
objectClass: top
cn: admins
gidNumber: 5000
description: administrator group

ambari.properties

authentication.ldap.baseDn=dc=centos,dc=hortonworkscluster,dc=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=gidNumber
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixGroup
authentication.ldap.managerDn=cn=ldapadm,dc=centos,dc=hortonworkscluster,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=172.31.42.16:389
authentication.ldap.referral=follow
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=inetOrgPerson
authentication.ldap.usernameAttribute=uid
2 REPLIES 2

Re: Ambari - ldap synced users not linked to their groups

@Karim SAD

Looking at your group LDIF, I do not see any group membership attributes. In your LDAP config, you specify this as "gidNumber", however Ambari work from the group to the user, rather than from the user to the group - this is standard for LDAP user/group association.

Looking at the schema for posixGroup, I see that the group membership attribute is "memberUID" - see https://ldapwiki.com/wiki/PosixGroup. Since this value is the "uid" of a posixAccount, there is a way to have Ambari find users based on their uid rather than their dn to perform the mapping. To do this the 'ambari.ldap.advanced.user_member_filter' value needs to be set in the ambari.properties file like this:

ambari.ldap.advanced.user_member_filter=(&(objectclass=posixaccount)(uid={member}))

The placeholder, "{member}", will be replaced with the relevant UID value by Ambari when looking for the group member.

That said, it appears that your example group LDIF does not contain any member ("memberUID") attributes. For this to work these attributes must exist.

What LDAP server are you using? My guess that that it may be an OpenLDAP server. If my suggestions are not helping, I will try to install an LDAP server like yours and see if I can help figure it out.

Re: Ambari - ldap synced users not linked to their groups

New Contributor

Hi @Robert Levas

I'm using openldap, my problem is fixed by changing

authentication.ldap.groupMembershipAttr=gidNumber > authentication.ldap.groupMembershipAttr=memberUid

Thank's for your advise.

Don't have an account?
Coming from Hortonworks? Activate your account here