Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

IPA ldap Ambari Sync

Labels:
avatar
author-rank arunak
Super Collaborator

Created ‎08-24-2016 06:50 PM

Hi All, I am trying to sync my Directory users from IPA server to Ambari. I have been using these instructions

However, I am not certain what need to be the value of Distinguished name attribute.

Provided I have the following structure 

uid=u1,ou=ou11,ou=o1,dc=example,dc=com 

uid=u2,ou=ou12,ou=o1,dc=example,dc=com 

uid=u3,ou=ou21,ou=02,dc=example,dc=com 

uid=u4,ou=ou22,ou=02,dc=example,dc=com
2,510 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank orlandoteixeira author-rank
Guru

Created ‎08-24-2016 06:55 PM

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

View solution in original post

2,157 Views
11 REPLIES 11

avatar
author-rank orlandoteixeira author-rank
Guru

Created ‎08-24-2016 06:55 PM

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

2,158 Views

avatar
author-rank arunak
Super Collaborator

Created ‎08-24-2016 07:04 PM

Thanks @Orlando Teixeira. Could you share me a sample ldif file that you used for ldapadd. I was able to sync the user bases using the default specified above. I did not see a dn attribute to any of my user/group using jxplore and hence wanted to know how relevant these default values are. After the sync, the admin user in IPA which is defaulted to admin messed up my Ambari admin user, which is also by default admin.

2,102 Views
0 Kudos

avatar
author-rank WhiteHa author-rank
Expert Contributor

Created ‎08-24-2016 07:12 PM

@Arun A K If you have existing admin user in your AD/LDAP, it will be override the existing Ambari admin user. This is known behaviour.

2,102 Views
0 Kudos

avatar
author-rank arunak
Super Collaborator

Created ‎08-24-2016 07:12 PM

@Krishna Pandey. In anticipation of this, I had created an ambari_admin before the sync and granted the admin role to this new user. However, after sync, I am not able to see the user management option in ambari after logging in as ambari_admin. Is this some configuration issue at my end?

2,102 Views
0 Kudos

avatar
author-rank WhiteHa author-rank
Expert Contributor

Created ‎08-24-2016 07:24 PM

The earlier created local Ambari "ambari_admin" user should exist even after ldap sync. Please select "All" as Type in Manage Ambari -> User+Group Management section, your user should show up there.

2,102 Views
0 Kudos

avatar
author-rank WhiteHa author-rank
Expert Contributor

Created ‎08-24-2016 06:58 PM

Try Distinguished name attribute* (dn): dn

2,102 Views

avatar
author-rank arunak
Super Collaborator

Created ‎08-24-2016 07:07 PM

Thanks @Krishna Pandey. Was able to use the default ones to Sync up the users. However I was not sure where there attributes are attached to my users/groups since I could not see anything called dn using jxplorer.

2,102 Views
0 Kudos

avatar
author-rank orlandoteixeira author-rank
Guru

Created ‎08-24-2016 07:15 PM

@Arun A K, first let's fix your admin. Simply go into the database and do:

update users set ldap_user = 0 where user_name = 'admin';

then reset the password as follows:

https://community.hortonworks.com/questions/449/how-to-reset-ambari-admin-password.html

Here is the output of an ldapsearch on a user in my IPA, to show you where dn is:

# orlando, users, accounts, ipa.example.com
dn: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
displayName: Orlando Teixeira
cn: Orlando Teixeira
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: Teixeira
gecos: Orlando Teixeira
homeDirectory: /home/orlando
krbPwdPolicyReference: cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,
 dc=example,dc=com
mail: orlando@ipa.example.com
krbPrincipalName: orlando@IPA.EXAMPLE.COM
givenName: Orlando
uid: orlando
initials: OT
ipaUniqueID: 3b9308de-895c-11e5-a188-0800274e577d
uidNumber: 1690200001
gidNumber: 1690200001
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test2,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
mepManagedEntry: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
krbLoginFailedCount: 6
krbLastFailedAuth: 20160601185034Z


# orlando, groups, accounts, ipa.example.com
dn: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: orlando
gidNumber: 1690200001
description: User private group for orlando
mepManagedBy: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ipaUniqueID: 3b9b8388-895c-11e5-a188-0800274e577d
2,102 Views
0 Kudos

avatar
author-rank arunak
Super Collaborator

Created ‎08-24-2016 07:40 PM

Thanks @Orlando Teixeira. One last question - what tool do you use to add users to the directory? I have been using ipa user-add and ipa group-add and as a result, if I do a ldap search, I don't find any values for krbPwdPolicyReference: and krbPrincipalName. Is there something I am doing wrong here. 

[admin@ipa ec2-user]$ ldapsearch -x  -W "uid=jsmith"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=jsmith
# requesting: ALL
#
# jsmith, users, compat, arunak.com
dn: uid=jsmith,cn=users,cn=compat,dc=example,dc=com
cn: James Smith
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
ipaAnchorUUID:: OklQQTphcnVuYWsuY29tOmVhMzk5OGEwLTY2NDAtMTFlNi05NTExLTEyNzY0N2
 ZhZThlOQ==
gidNumber: 443400011
gecos: James Smith
uidNumber: 443400011
loginShell: /bin/sh
homeDirectory: /home/jsmith
uid: jsmith
# jsmith, users, accounts, example.com
dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
displayName: James Smith
uid: tutui
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: SA
gecos: James Smith
sn: Smith
homeDirectory: /home/jsmith
givenName: James
cn: James Smith
uidNumber: 443400011
gidNumber: 443400011
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
2,102 Views
0 Kudos
webinar banner
Announcements
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Community Announcements
November 2023 Community Highlights
Product Announcements
[ANNOUNCE] CDP Private Cloud Data Services 1.5.2 Released
What's New @ Cloudera
Cloudera DataFlow adds support for fine grained access contr...
Product Announcements
[ANNOUNCE] Cloudera JDBC Driver 2.6.23 for Apache Hive Relea...
View More Announcements
meetups banner