Support Questions
Find answers, ask questions, and share your expertise

Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

Solved Go to solution
Highlighted

Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

New Contributor
 
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

8 REPLIES 8
Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

Wow, good catch. Unfortunately I'm still getting the same error with pagination disabled, so maybe it's a different feature that ApacheDS doesn't support:

REASON: Caught exception running LDAP sync. [LDAP: error code 12 - Unsupport critical control: 1.2.840.113556.1.4.319]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unsupport critical control: 1.2.840.113556.1.4.319]; remaining name 'dc=hadoop,dc=apache,dc=org'
Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

This looks familiar: https://jira.atlassian.com/browse/CWD-1109

What Ambari version are you using Alex?

Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

I was mistakenly using the HDP 2.3.0 Sandbox, which uses Ambari 2.1.0. Your advice worked perfectly in the latest version. Thanks!

Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

Here's a complete guide, thanks to @Paul Codding's advice to disable pagination. Requires HDP Sandbox 2.3.2 or later (Ambari 2.1.1+)

1. In Ambari, start the demo LDAP server (Knox gateway is not required):

  • Knox > Service Actions > Start Demo LDAP

2. Follow the Ambari Security Guide to enable LDAP (press Enter for blank values)...

[root@sandbox ~]# ambari-server setup-ldap
Using python  /usr/bin/python2.6
Setting up LDAP properties...
Primary URL* {host:port} : sandbox.hortonworks.com:33389
Secondary URL {host:port} :
Use SSL* [true/false] (false): false
User object class* (posixAccount): person
User name attribute* (uid): uid
Group object class* (posixGroup): groupofnames
Group name attribute* (cn): cn
Group member attribute* (memberUid): member
Distinguished name attribute* (dn): dn
Base DN* : dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] :
Bind anonymously* [true/false] (false): false
Manager DN* : uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* : guest-password
Re-enter password: guest-password
====================
Review Settings
====================
authentication.ldap.managerDn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.

3. Configure Ambari to disable pagination, and restart Ambari Server:

[root@sandbox ~]# echo "authentication.ldap.pagination.enabled=false" >> /etc/ambari-server/conf/ambari.properties
[root@sandbox ~]# ambari-server restart

4. When Ambari startup completes, the objects in /etc/knox/conf/users.ldif are available in Ambari. Here’s a quick reference:

  • admin / admin-password
  • guest / guest-password
  • sam / sam-password
  • tom / tom-password

Note: LDAP accounts with the same names as local accounts will replace the local accounts. The admin password will now be 'admin-password' instead of 'admin'

5. To customize the demo LDAP directory:

  • In Ambari: Knox > Service Actions > Stop Demo LDAP
  • Edit /etc/knox/conf/users.ldif
  • Start the LDAP server manually (Ambari will overwrite users.ldif)
nohup su - knox -c 'java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf' &
[root@sandbox ~]# ambari-server sync-ldap --all
Using python  /usr/bin/python2.6
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password: admin-password
Syncing all...

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 2
  users:
    updated = 0
    removed = 1
    created = 3
  groups:
    updated = 2
    removed = 0
    created = 0

Ambari Server 'sync-ldap' completed successfully.

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

Ambari attempts to determine whether the demo LDAP server supports paged results, which it does not, so it responds with UNAVAILABLE_CRITICAL_EXTENSION.

The demo LDAP server in Knox 0.6.0 (HDP 2.3.0) is based on ApacheDS 2.0.0-M15. Support for paged results was added in version 2.0.0-M13 (DIRSERVER-434), so I'm not sure why this wouldn't work. It's unlikely to be solved by configuration though.

Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

Rising Star

@Alex Miller I am having trouble with syncing ldap, getting 403 bad credentials but I am able to login using same credentials to the dashboard. Note: Now admin password is changed to ldap's admin password. Exact error below: "Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: You do not have permissions to access this resource."

Highlighted

Re: Has anyone integrated (for demo purposes only) the Knox LDAP demo server with the Ambari 2.1.1 Server? I am not sure that it can be done, but need the instructions if it can be done. I only need to be able to log in to Ambari using the LDAP users.

New Contributor

Hi Pandey,


Have you identified the root cause for this issue? Do you remember?

The error is same for Ambari 2.6.1.5.

Don't have an account?