Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Cannot sync-ldap Ambari ​

Labels:
avatar
author-rank pminovic author-rank
Master Guru

Created ‎05-21-2016 08:24 AM

"ambari-server sync-ldap --users file" against an LDAP server with more than 10,000 users fails saying one of the users in the file is not there. When I do ldapsearch from the command line without filter, that user is not returned, because I guess LDAP server returns max of 2000 entities. When I do ldapsearch with a filter I can find him. How can I tell Ambari to do such search using a filter? ldapsearch returns 

distinguishedName: CN=user123456,OU=users,DC=example,DC=com

For ldapsearch I provide "(CN=user123456)" as my filter. In setup-ldap I do like below, but it doesn't work. Any ideas.

authentication.ldap.baseDn="OU=users,DC=example,DC=com"
authentication.ldap.usernameAttribute=CN
authentication.ldap.dnAttribute=distinguishedName
authentication.ldap.userObjectClass=organizationalPerson  ... have 4 classes listed: top,person,organizationlPerson, user; also tried user
authentication.ldap.referral=ignore   ... also tried follow

When I try to sync with one of the users returned using ldapserach without filter it works.

1,126 Views
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎05-25-2016 01:53 AM

@Predrag Minovic

If the LDAP server is and Active Directory, you should make sure that the sync settings are similar to what is presented in this example:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_Ambari_Security_Guide/content/_example_a...

I think the reason that you are not getting all of the users you expect is because in an Active Directory, the CN is typically auto-generated using the user's first and last name where the sAMAccountName is explicitly set as the userid (or username). However, it is possible to manually set the CN to the username and thus this is probably why you are getting some and not all of the expected results.

View solution in original post

650 Views
2 REPLIES 2

avatar
author-rank pminovic author-rank
Master Guru

Created ‎05-21-2016 11:20 AM

Also tried to set authentication.ldap.pagination.enabled=false but to no avail. BTW, the LDAP is on AD.

650 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎05-25-2016 01:53 AM

@Predrag Minovic

If the LDAP server is and Active Directory, you should make sure that the sync settings are similar to what is presented in this example:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_Ambari_Security_Guide/content/_example_a...

I think the reason that you are not getting all of the users you expect is because in an Active Directory, the CN is typically auto-generated using the user's first and last name where the sAMAccountName is explicitly set as the userid (or username). However, it is possible to manually set the CN to the username and thus this is probably why you are getting some and not all of the expected results.

651 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements