Support Questions

Find answers, ask questions, and share your expertise

Can't sync Ambari with LDAP

Hi guys

It's my turn to secure our cluster right now. But I have some trouble already with the LDAP connection of Ambari. On the production system I get the following error and I don't know where I can find the error anymore. Can you give me possible points where I should look for the error?

The certificates of the AD servers are imported and ldapsearch is working fine. I have add to the ambari-server.properties file the following content:

  • authentication.ldap.primaryUrl=dc1.ad.test.com:636
  • authentication.ldap.secondaryUrl=dc02.ad.test.com:636 authentication.ldap.useSSL=true
  • authentication.ldap.dnAttribute=distinguishedName authentication.ldap.usernameAttribute=sAMAccountName
  • authentication.ldap.baseDn="DC=ad,DC=test,DC=com" authentication.ldap.bindAnonymously=false
  • authentication.ldap.managerDn="CN=Service Account Hortonworks,OU=50.50.20 HadoopServiceUser,OU=50.50 Hortonworks,OU=50 Service User,DC=ad,DC=test,DC=com" authentication.ldap.userObjectClass=user
  • authentication.ldap.groupObjectClass=group
  • authentication.ldap.groupMembershipAttr=member
  • authentication.ldap.groupNamingAttr=cn

afterwards I run

[user1@ad.test.com home]$ sudo ambari-server setup-ldap 

and validate the adjustments of the ambari-server.properties. Then I restart the server and agent

[user1@ad.test.com home]$ sudo ambari-server restart 
[user1@ad.test.com home]$ sudo ambari-agent restart 

I create a file with only one entry: The Group with the Hadoop administrators.

[user1@ad.test.com home]$ echo HadoopAdmin > groups.txt 

after that I want to import the HadoopAdmin group into Ambari

[user1@ad.test.com home]$ sudo ambari-server sync-ldap --groups=groups.txt 
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839] 

In the Ambari Log I found the following error:

09 Apr 2018 16:37:00,577 ERROR [pool-18-thread-5] LdapSyncEventResourceProvider:460 - Caught exception running LDAP sync.
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
        at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
        at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
        at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5178)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
        ... 18 more


1 ACCEPTED SOLUTION

Cloudera Employee

Bill,

LDAP: error code 49 / data 52e indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. You might want to check the admin credentials (/password) that you are using are as expected and probably even password policies for this user in AD.

Since you don't seem to be binding anonymously, I'm assuming you are providing the right manager password. Also, since you are using SSL, assuming the certs are imported fine in jks or default JDK keystore. You might also want to ensure the group entry in groups.txt is based off of groupMembershipAttr.

View solution in original post

1 REPLY 1

Cloudera Employee

Bill,

LDAP: error code 49 / data 52e indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. You might want to check the admin credentials (/password) that you are using are as expected and probably even password policies for this user in AD.

Since you don't seem to be binding anonymously, I'm assuming you are providing the right manager password. Also, since you are using SSL, assuming the certs are imported fine in jks or default JDK keystore. You might also want to ensure the group entry in groups.txt is based off of groupMembershipAttr.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.