Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How do I automate the Ambari LDAP sync?

Labels:
avatar
author-rank SQLShaw author-rank
Guru

Created ‎11-05-2015 06:25 PM

I want to automate through cron or other method "ambari-server sync-ldap --existing" but it prompts for an Ambari username and password. Any ideas on how I can automate an Ambari LDAP sync?

9,036 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank yusaku
Rising Star

Created ‎11-05-2015 07:20 PM

Try:

curl -uadmin:admin -H 'X-Requested-By: ambari' -X POST -d '[{"Event": {"specs": [{"principal_type": "users", "sync_type": "existing"}, {"principal_type": "groups", "sync_type": "existing"}]}}]' http://localhost:8080/api/v1/ldap_sync_events

You will get a response like:

{
  "resources" : [
    {
      "href" : "http://localhost:8080/api/v1/ldap_sync_events/13",
      "Event" : {
        "id" : 13
      }
    }
  ]
}

You can GET on this href to get status of the sync:

curl -uadmin:admin http://localhost:8080/api/v1/ldap_sync_events/13


{
  "href" : "http://localhost:8080/api/v1/ldap_sync_events/13",
  "Event" : {
    "id" : 13,
    "specs" : [
      {
        "sync_type" : "existing",
        "principal_type" : "users"
      },
      {
        "sync_type" : "existing",
        "principal_type" : "groups"
      }
    ],
    "status" : "COMPLETE",
    "status_detail" : "Completed LDAP sync.",
    "summary" : {
      "groups" : {
        "created" : 0,
        "removed" : 0,
        "updated" : 0
      },
      "memberships" : {
        "created" : 0,
        "removed" : 0
      },
      "users" : {
        "created" : 0,
        "removed" : 0,
        "updated" : 0
      }
    },
    "sync_time" : {
      "end" : 1446751142546,
      "start" : 1446751142462
    }
  }
}

View solution in original post

5,823 Views
14 REPLIES 14

avatar
author-rank SQLShaw author-rank
Guru

Created ‎11-05-2015 06:40 PM

That's sets up LDAP but I need to automate the sync process. I would like Ambari to execute the sync-ldap --existing command once a day.

4,992 Views
0 Kudos

avatar
author-rank pcodding author-rank
Guru

Created ‎11-05-2015 06:46 PM

You can create an expect script for it.

4,992 Views

avatar
author-rank yusaku
Rising Star

Created ‎11-05-2015 07:20 PM

Try:

curl -uadmin:admin -H 'X-Requested-By: ambari' -X POST -d '[{"Event": {"specs": [{"principal_type": "users", "sync_type": "existing"}, {"principal_type": "groups", "sync_type": "existing"}]}}]' http://localhost:8080/api/v1/ldap_sync_events

You will get a response like:

{
  "resources" : [
    {
      "href" : "http://localhost:8080/api/v1/ldap_sync_events/13",
      "Event" : {
        "id" : 13
      }
    }
  ]
}

You can GET on this href to get status of the sync:

curl -uadmin:admin http://localhost:8080/api/v1/ldap_sync_events/13


{
  "href" : "http://localhost:8080/api/v1/ldap_sync_events/13",
  "Event" : {
    "id" : 13,
    "specs" : [
      {
        "sync_type" : "existing",
        "principal_type" : "users"
      },
      {
        "sync_type" : "existing",
        "principal_type" : "groups"
      }
    ],
    "status" : "COMPLETE",
    "status_detail" : "Completed LDAP sync.",
    "summary" : {
      "groups" : {
        "created" : 0,
        "removed" : 0,
        "updated" : 0
      },
      "memberships" : {
        "created" : 0,
        "removed" : 0
      },
      "users" : {
        "created" : 0,
        "removed" : 0,
        "updated" : 0
      }
    },
    "sync_time" : {
      "end" : 1446751142546,
      "start" : 1446751142462
    }
  }
}
5,824 Views

avatar
author-rank pcodding author-rank
Guru

Created ‎11-05-2015 07:57 PM

@yusaku@hortonworks.com - how would we do this when we have a users or groups text file?

4,992 Views
0 Kudos

avatar
author-rank yusaku
Rising Star

Created ‎11-05-2015 08:08 PM

You can replace sync_type to specific (from existing), and add names attribute with a comma-delimited list of users/groups. Here's an example:

curl -uadmin:admin -H 'X-Requested-By: ambari' -X POST -d '[{"Event": {"specs": [{"principal_type": "users", "sync_type": "specific", "names": "bill,jenny,mike"},{"principal_type":"groups","sync_type":"specific", "names": "group1,group2"}]}}]' http://localhost:8080/api/v1/ldap_sync_events
4,992 Views

avatar
author-rank nsabharwal
Master Mentor

Created on ‎11-05-2015 11:58 PM - edited ‎08-19-2019 05:52 AM

@Scott Shaw

This will make life easier..gist link

yum install expect*

#!/usr/bin/expect

spawn ambari-server sync-ldap --existing

expect "Enter Ambari Admin login:"

send "admin\r"

expect "Enter Ambari Admin password:"

send "admin\r"

expect eof

403-screen-shot-2015-11-05-at-65653-pm.png

4,992 Views

avatar
author-rank SQLShaw author-rank
Guru

Created ‎11-06-2015 03:00 PM

Here is the .sh script we used at the customers. You'll need to fill in your specific environment information. It runs the curl commands but also includes an LDAP filter.

#!/bin/sh

# Just in case we are run from cron with no path set...

export PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/bin

AMBARI_ADMIN_USER='admin:xxxxx'

# # Groups we want to look for, in this case any group name that starts with HDP_ # GROUP_FILTER="(&(ObjectClass=Group)(CN=HDP_*))" SEARCH_BASE=DC=MYDOMAIN,DC=com SEARCH_USER=CN=search_user,OU=LDAP,${SEARCH_BASE} SEARCH_PASSWD=ldapUserPassword

LDAP_HOST=ldap.mydomain.com

LDAPGROUPS=`ldapsearch -h $LDAP_HOST -x -s sub -b ${SEARCH_BASE} -D ${SEARCH_USER} -w ${SEARCH_PASSWD} "${GROUP_FILTER}" cn | grep ^dn: | cut -d' ' -f2- | sed -e "s/\(.*\)/(memberOf=\1)/" | tr '\n' ':' | sed -e "s/://g"`

# Filter for users with a "valid" flag set who have a first name, last name and email. SEARCH_FILTER="(&(objectClass=USER)(mail=*mydomain.com)(givenName=*)(sn=*)(!(msexchuserAccountControl:1.2.840.113556.1.4.803:=2))(|$LDAPGROUPS))"

# perform the search on AD and format the results in a way that postfix wants.

#ldapsearch -h <ldap.company.com> -x -D “${SEARCH_USER}” -w “${SEARCH_PASSWD}” "${SEARCH_FILTER}" sAMAccountName | \ grep -v "{" | \ cut -d: -f3 | \ sort -u > ${TEMP_FILE}

USERLIST=`ldapsearch -h $LDAP_HOST -x -s sub -b ${SEARCH_BASE} -D ${SEARCH_USER} -w ${SEARCH_PASSWD} "${SEARCH_FILTER}" sAMAccountName |\ grep -i sAMAccountName |\ grep -v ^# |\ sort -u |\ awk '{print $2}' |\ tr '\n' , |\ tr '[A-Z]' '[a-z]' |\ sed -e "s/,$//"`

GROUPLIST=`ldapsearch -h $LDAP_HOST -x -s sub -b ${SEARCH_BASE} -D ${SEARCH_USER} -w ${SEARCH_PASSWD} "${SEARCH_FILTER}" memberOf |\ grep memberOf |\ grep -v ^# |\ grep HDP_ |\ sort -u |\ cut -d: -f2 |\ cut -d= -f2 |\ cut -d, -f1 |\ awk '{print $1}' |\ tr '\n' , |\ sed -e "s/,$//"`

# Sync new users and groups

curl -s -H "X-Requested-By: ambari” -u $AMBARI_ADMIN_USER -d '{"Event": {"specs": [{"principal_type": "users", "sync_type": "specific", "names": "'$USERLIST'"}, {"principal_type": "groups", "sync_type": "specific", "names": "'$GROUPLIST'"}]}}' http://127.0.0.1:8080/api/v1/ldap_sync_events >/dev/null

sleep 30

# Sync existing users and groups

curl -s -H "X-Requested-By: amber” -u $AMBARI_ADMIN_USER -d '{"Event": { "specs": [{"principal_type": "users", "sync_type": "existing"}, {"principal_type": "groups", "sync_type": "existing"}]}}' http://127.0.0.1:8080/api/v1/ldap_sync_events >/dev/null

echo "AmbariLdapSync complete at `date`"

exit 0

4,992 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎11-06-2015 03:02 PM

@Scott Shaw This looks great. Thanks for sharing it.

4,992 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements