@Sivaprakasam Theivanayagam
There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility:
openssl s_client -connect HOST:PORT
To grab the SSL certificate you can use the following command:
openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem
Example:
openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem
You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to).
To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it.
The following command can be used to test connectivity and list the distinguished names contained in the base DN:
ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn
-ZZ: Start TLS (for LDAPS)
-h: IP/hostname of Active Directory server
-D: BindDN or User principal name
-W: Password (to be provided interactively)
-b: Base DN for search (where in the LDAP tree to start looking)
Example:
ldapsearch -ZZ -h ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn
This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert.
To not use TLS/SSL, remove the -ZZ from the command line.
To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line
TLS_REQCERT never
