Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari-server sync-ldap works fine but users are not mapped to groups

avatar
Rising Star

I have synced Users and groups in Ambari UI using,

ambari-server sync-ldap --users /home/centos/users.txt --groups /tmp/groups.txt 
Using python /usr/bin/python Syncing with LDAP... 
Enter Ambari Admin login: admin 
Enter Ambari Admin password: 
Syncing specified users and groups... 
Completed LDAP Sync. 
Summary: 
memberships: 
removed = 0 
created = 0 
users: 
skipped = 0 
removed = 0 
updated = 0 
created = 4 
groups: 
updated = 0 
removed = 0 
created = 0 

But users are not mapped to any group, but it does not add users to the group.

Which parameters should I check in ambari.properties.

1 ACCEPTED SOLUTION

avatar

@arjun more

Could you please check the properties,

User object class* : try changing it from person to user.
Group member attribute* : try changing it from memberof to memberid

Distinguished name attribute* : try changing it from dn to distinguishedName

These parameters are depends on your environment LDAP. Please check the values of these once again and try to sync up.

View solution in original post

5 REPLIES 5

avatar
@arjun more

Are you able to sync groups similar like users? If not, please check below parameter with your LDAP team and add them as per their request:

authentication.ldap.groupObjectClass[LDAP Object Class]The object class that is used for groups. Example: groupOfUniqueNames
authentication.ldap.groupMembershipAttr[LDAP attribute]The attribute for group membership. Example: uniqueMember
authentication.ldap.groupNamingAttr[LDAP attribute]The attribute for group name.

Checking the ambari-server logs would help you in getting the error message. Hope this helps you.

avatar
Master Mentor

What are the first 30 entries in your

/etc/ambari-server/conf/ambari-properties

avatar
Rising Star

I have below set of properties,

authentication.ldap.groupMembershipAttr=memberOf

authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

authentication.ldap.dnAttribute=dn

avatar

@arjun more

Could you please check the properties,

User object class* : try changing it from person to user.
Group member attribute* : try changing it from memberof to memberid

Distinguished name attribute* : try changing it from dn to distinguishedName

These parameters are depends on your environment LDAP. Please check the values of these once again and try to sync up.

avatar
Rising Star

Hey Nitin,

Changed the configs like,

object class=user

Distinguished name attribute=distinguishedName

Group member attribute=member

And re-synced users. It is working now.

Thanks for help.