Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How do I automate the Ambari LDAP sync?

Labels:
avatar
author-rank SQLShaw author-rank
Guru

Created ‎11-05-2015 06:25 PM

I want to automate through cron or other method "ambari-server sync-ldap --existing" but it prompts for an Ambari username and password. Any ideas on how I can automate an Ambari LDAP sync?

9,915 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank yusaku
Rising Star

Created ‎11-05-2015 07:20 PM

Try:

curl -uadmin:admin -H 'X-Requested-By: ambari' -X POST -d '[{"Event": {"specs": [{"principal_type": "users", "sync_type": "existing"}, {"principal_type": "groups", "sync_type": "existing"}]}}]' http://localhost:8080/api/v1/ldap_sync_events

You will get a response like:

{
  "resources" : [
    {
      "href" : "http://localhost:8080/api/v1/ldap_sync_events/13",
      "Event" : {
        "id" : 13
      }
    }
  ]
}

You can GET on this href to get status of the sync:

curl -uadmin:admin http://localhost:8080/api/v1/ldap_sync_events/13


{
  "href" : "http://localhost:8080/api/v1/ldap_sync_events/13",
  "Event" : {
    "id" : 13,
    "specs" : [
      {
        "sync_type" : "existing",
        "principal_type" : "users"
      },
      {
        "sync_type" : "existing",
        "principal_type" : "groups"
      }
    ],
    "status" : "COMPLETE",
    "status_detail" : "Completed LDAP sync.",
    "summary" : {
      "groups" : {
        "created" : 0,
        "removed" : 0,
        "updated" : 0
      },
      "memberships" : {
        "created" : 0,
        "removed" : 0
      },
      "users" : {
        "created" : 0,
        "removed" : 0,
        "updated" : 0
      }
    },
    "sync_time" : {
      "end" : 1446751142546,
      "start" : 1446751142462
    }
  }
}

View solution in original post

6,702 Views
0
14 REPLIES 14

avatar
author-rank stijnvd
New Contributor

Created ‎12-16-2016 11:26 AM

Both ldapsearch and cron will show up in ps with passwords in their command line. That's easy to prevent with both tools: use the -y option for ldapsearch, and --netrc-file for cron.

3,283 Views
0 Kudos

avatar
author-rank rburagohain
Rising Star

Created ‎12-23-2016 11:41 AM

@Neeraj Sabharwal

Hi Neeraj,

I have used your ambari-ldap sync script but I get the following error when I ran the below command. One thing I noticed is that if the run the script manually as ./ambari_ldap_sync_all.sh then its getting executed.

Also I have shown my ambari-ldap sync script below. So the script is not getting executed from crontab with 'sh' command . Please help.

[root@host1(172.23.34.4)] # sh ambari_ldap_sync_all.sh
ambari_ldap_sync_all.sh: line 3: spawn: command not found
couldn't read file "Enter Ambari Admin login:": no such file or directory
ambari_ldap_sync_all.sh: line 7: send: command not found
couldn't read file "Enter Ambari Admin password:": no such file or directory
ambari_ldap_sync_all.sh: line 11: send: command not found
couldn't read file "eof": no such file or directory

[root@host1(172.23.34.4)] # cat ambari_ldap_sync_all.sh
#!/usr/bin/expect

spawn ambari-server sync-ldap --existing

expect "Enter Ambari Admin login:"

send "admin\r"

expect "Enter Ambari Admin password:"

send "admin\r"

expect eof

[root@host1(172.23.34.4)] # crontab -e
00 15 * * * /ambari_ldap_sync_all.sh
3,283 Views
0 Kudos

avatar
author-rank michael_salmon
Contributor

Created ‎02-22-2017 06:45 AM

This is an expect script not a shell script. Your shell does not understand expect commands.

3,283 Views
0 Kudos

avatar
author-rank rbailey
Explorer

Created ‎04-09-2017 12:55 PM

Worth knowing that now there is no need for the "expect" statement now with the following attributes that can be added to the sync-ldap request:

--ldap-sync-admin-name=admin --ldap-sync-admin-password=secret
3,283 Views
0 Kudos

avatar
author-rank stijnvd
New Contributor

Created ‎04-21-2017 10:28 AM

The unexpected benefit of this is that nobody will ever forget the LDAP password again: not will it be included in your favourite shell's history file, but anyone who can log in on that node will also be able to see those options by keeping an eye on ps. Isn't that neat?

Don't do this, kids. Never write passwords on the command line.

3,283 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements