Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How do I remove LDAP accounts from Ambari

Labels:
avatar
author-rank SQLShaw author-rank
Guru

Created ‎11-05-2015 06:06 PM

I loaded LDAP accounts into Ambari and now need to remove them and re-sync. How do I remove the accounts?

7,471 Views
1 ACCEPTED SOLUTION

avatar
author-rank pcodding author-rank
Guru

Created ‎11-05-2015 06:42 PM

Scott, you can use the API to remove them:

curl --insecure -u admin:$PASSWORD -H 'X-Requested-By: ambari' -X DELETE http://$AMBARI_HOST:8080/api/v1/users/paul

View solution in original post

5,144 Views
11 REPLIES 11

avatar
author-rank mrossign
New Contributor

Created on ‎09-10-2019 03:34 AM - edited ‎09-10-2019 03:36 AM

If like me, you made a mistake for instance loading all your LDAP users and groups with "ambari-server sync-ldap --all" and you realize that you in fact only wanted some groups/users, you can re-run the "ambari-server setup-ldap" wizard pointing to the DN of only one of your users to keep as the search base. Then run "ambari-server sync-ldap --existing" to remove all existing LDAP users and groups except the single one to keep. Then reset the correct search base and add the subset of groups/users you want using "ambari-server sync-ldap --users users.txt --groups groups.txt". This trick saved my life by automatically and easily removing roughly 15000 LDAP users and 1000 LDAP groups 🙂

2,249 Views
0 Kudos

avatar
author-rank pmadiot
Explorer

Created on ‎03-23-2020 02:14 AM - edited ‎03-23-2020 04:20 AM

hello,

 

This wokarround didn't work for me.

Configured the LDAP setup so that the BaseDN matches only 1 entry.

calling "ambari-server sync-ldap --existing" didn't remove all existing LDAP Users and groups rather it deleted 2 only.

 

may be i missed something, but after running the setup do we need to restart ambari-server?

 

What should be the expected behaviour when runing the "ambari-server sync-ldap --all" and the BaseDN pointing to a single AD entry?

 

The doc states the following for option '--exisiting' : "Users will be removed from Ambari if they no
longer exist in LDAP, and group membership in Ambari will be updated to match LDAP". Since AD users still exist that would have no effect to remove the users even if baseDN points to single entry.

 

What we are looking for (HDP2.6.5) is to remove all LDAP synced users other than these specified in --users users.txt and --groups group.txt.

 

It looks like there is no such tool and we have to resort to manually use ambari APIs somehow.
One thing i'm not sure is how are the lowercased alias being handled, since during the first sync we had the default value 'true' to force lower case, and now changed it to 'false'

 

looking forward your insights

2,092 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements