Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Cannot sync-ldap Ambari ​

Labels:
avatar
author-rank pminovic author-rank
Master Guru

Created ‎05-21-2016 08:24 AM

"ambari-server sync-ldap --users file" against an LDAP server with more than 10,000 users fails saying one of the users in the file is not there. When I do ldapsearch from the command line without filter, that user is not returned, because I guess LDAP server returns max of 2000 entities. When I do ldapsearch with a filter I can find him. How can I tell Ambari to do such search using a filter? ldapsearch returns 

distinguishedName: CN=user123456,OU=users,DC=example,DC=com

For ldapsearch I provide "(CN=user123456)" as my filter. In setup-ldap I do like below, but it doesn't work. Any ideas.

authentication.ldap.baseDn="OU=users,DC=example,DC=com"
authentication.ldap.usernameAttribute=CN
authentication.ldap.dnAttribute=distinguishedName
authentication.ldap.userObjectClass=organizationalPerson  ... have 4 classes listed: top,person,organizationlPerson, user; also tried user
authentication.ldap.referral=ignore   ... also tried follow

When I try to sync with one of the users returned using ldapserach without filter it works.

1,449 Views
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎05-25-2016 01:53 AM

@Predrag Minovic

If the LDAP server is and Active Directory, you should make sure that the sync settings are similar to what is presented in this example:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_Ambari_Security_Guide/content/_example_a...

I think the reason that you are not getting all of the users you expect is because in an Active Directory, the CN is typically auto-generated using the user's first and last name where the sAMAccountName is explicitly set as the userid (or username). However, it is possible to manually set the CN to the username and thus this is probably why you are getting some and not all of the expected results.

View solution in original post

973 Views
2 REPLIES 2

avatar
author-rank pminovic author-rank
Master Guru

Created ‎05-21-2016 11:20 AM

Also tried to set authentication.ldap.pagination.enabled=false but to no avail. BTW, the LDAP is on AD.

973 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎05-25-2016 01:53 AM

@Predrag Minovic

If the LDAP server is and Active Directory, you should make sure that the sync settings are similar to what is presented in this example:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_Ambari_Security_Guide/content/_example_a...

I think the reason that you are not getting all of the users you expect is because in an Active Directory, the CN is typically auto-generated using the user's first and last name where the sAMAccountName is explicitly set as the userid (or username). However, it is possible to manually set the CN to the username and thus this is probably why you are getting some and not all of the expected results.

974 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements