Support Questions

Find answers, ask questions, and share your expertise

Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

avatar
New Contributor
 
1 ACCEPTED SOLUTION

avatar
8 REPLIES 8

avatar

Please refer to this doc note on how to disable pagination in Ambari 2.1.1+: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configurin...

avatar

Wow, good catch. Unfortunately I'm still getting the same error with pagination disabled, so maybe it's a different feature that ApacheDS doesn't support:

REASON: Caught exception running LDAP sync. [LDAP: error code 12 - Unsupport critical control: 1.2.840.113556.1.4.319]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unsupport critical control: 1.2.840.113556.1.4.319]; remaining name 'dc=hadoop,dc=apache,dc=org'

avatar

This looks familiar: https://jira.atlassian.com/browse/CWD-1109

What Ambari version are you using Alex?

avatar

I was mistakenly using the HDP 2.3.0 Sandbox, which uses Ambari 2.1.0. Your advice worked perfectly in the latest version. Thanks!

avatar

Here's a complete guide, thanks to @Paul Codding's advice to disable pagination. Requires HDP Sandbox 2.3.2 or later (Ambari 2.1.1+)

1. In Ambari, start the demo LDAP server (Knox gateway is not required):

  • Knox > Service Actions > Start Demo LDAP

2. Follow the Ambari Security Guide to enable LDAP (press Enter for blank values)...

[root@sandbox ~]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} : sandbox.hortonworks.com:33389
Secondary URL {host:port} :
Use SSL* [true/false] (false): false
User object class* (posixAccount): person
User name attribute* (uid): uid
Group object class* (posixGroup): groupofnames
Group name attribute* (cn): cn
Group member attribute* (memberUid): member
Distinguished name attribute* (dn): dn
Base DN* : dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] :
Bind anonymously* [true/false] (false): false
Manager DN* : uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* : guest-password
Re-enter password: guest-password
====================
Review Settings
====================
authentication.ldap.managerDn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.

3. Configure Ambari to disable pagination, and restart Ambari Server:

[root@sandbox ~]# echo "authentication.ldap.pagination.enabled=false" >> /etc/ambari-server/conf/ambari.properties
[root@sandbox ~]# ambari-server restart

4. When Ambari startup completes, the objects in /etc/knox/conf/users.ldif are available in Ambari. Here’s a quick reference:

  • admin / admin-password
  • guest / guest-password
  • sam / sam-password
  • tom / tom-password

Note: LDAP accounts with the same names as local accounts will replace the local accounts. The admin password will now be 'admin-password' instead of 'admin'

5. To customize the demo LDAP directory:

  • In Ambari: Knox > Service Actions > Stop Demo LDAP
  • Edit /etc/knox/conf/users.ldif
  • Start the LDAP server manually (Ambari will overwrite users.ldif)
nohup su - knox -c 'java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf' &
[root@sandbox ~]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password: admin-password
Syncing all...

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 2
  users:
    updated = 0
    removed = 1
    created = 3
  groups:
    updated = 2
    removed = 0
    created = 0

Ambari Server 'sync-ldap' completed successfully.

avatar

Ambari attempts to determine whether the demo LDAP server supports paged results, which it does not, so it responds with UNAVAILABLE_CRITICAL_EXTENSION.

The demo LDAP server in Knox 0.6.0 (HDP 2.3.0) is based on ApacheDS 2.0.0-M15. Support for paged results was added in version 2.0.0-M13 (DIRSERVER-434), so I'm not sure why this wouldn't work. It's unlikely to be solved by configuration though.

avatar
Expert Contributor

@Alex Miller I am having trouble with syncing ldap, getting 403 bad credentials but I am able to login using same credentials to the dashboard. Note: Now admin password is changed to ldap's admin password. Exact error below: "Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: You do not have permissions to access this resource."

avatar

Hi Pandey,


Have you identified the root cause for this issue? Do you remember?

The error is same for Ambari 2.6.1.5.