Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

IPA ldap Ambari Sync

Super Collaborator

Hi All, I am trying to sync my Directory users from IPA server to Ambari. I have been using these instructions

However, I am not certain what need to be the value of Distinguished name attribute.

Provided I have the following structure

uid=u1,ou=ou11,ou=o1,dc=example,dc=com 

uid=u2,ou=ou12,ou=o1,dc=example,dc=com 

uid=u3,ou=ou21,ou=02,dc=example,dc=com 

uid=u4,ou=ou22,ou=02,dc=example,dc=com
1 ACCEPTED SOLUTION

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

View solution in original post

11 REPLIES 11

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

Super Collaborator

Thanks @Orlando Teixeira. Could you share me a sample ldif file that you used for ldapadd. I was able to sync the user bases using the default specified above. I did not see a dn attribute to any of my user/group using jxplore and hence wanted to know how relevant these default values are. After the sync, the admin user in IPA which is defaulted to admin messed up my Ambari admin user, which is also by default admin.

Rising Star

@Arun A K If you have existing admin user in your AD/LDAP, it will be override the existing Ambari admin user. This is known behaviour.

Super Collaborator

@Krishna Pandey. In anticipation of this, I had created an ambari_admin before the sync and granted the admin role to this new user. However, after sync, I am not able to see the user management option in ambari after logging in as ambari_admin. Is this some configuration issue at my end?

Rising Star

The earlier created local Ambari "ambari_admin" user should exist even after ldap sync. Please select "All" as Type in Manage Ambari -> User+Group Management section, your user should show up there.

Rising Star

Try Distinguished name attribute* (dn): dn

Super Collaborator

Thanks @Krishna Pandey. Was able to use the default ones to Sync up the users. However I was not sure where there attributes are attached to my users/groups since I could not see anything called dn using jxplorer.

@Arun A K, first let's fix your admin. Simply go into the database and do:

update users set ldap_user = 0 where user_name = 'admin';

then reset the password as follows:

https://community.hortonworks.com/questions/449/how-to-reset-ambari-admin-password.html

Here is the output of an ldapsearch on a user in my IPA, to show you where dn is:

# orlando, users, accounts, ipa.example.com
dn: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
displayName: Orlando Teixeira
cn: Orlando Teixeira
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: Teixeira
gecos: Orlando Teixeira
homeDirectory: /home/orlando
krbPwdPolicyReference: cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,
 dc=example,dc=com
mail: orlando@ipa.example.com
krbPrincipalName: orlando@IPA.EXAMPLE.COM
givenName: Orlando
uid: orlando
initials: OT
ipaUniqueID: 3b9308de-895c-11e5-a188-0800274e577d
uidNumber: 1690200001
gidNumber: 1690200001
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test2,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
mepManagedEntry: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
krbLoginFailedCount: 6
krbLastFailedAuth: 20160601185034Z


# orlando, groups, accounts, ipa.example.com
dn: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: orlando
gidNumber: 1690200001
description: User private group for orlando
mepManagedBy: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ipaUniqueID: 3b9b8388-895c-11e5-a188-0800274e577d

Super Collaborator

Thanks @Orlando Teixeira. One last question - what tool do you use to add users to the directory? I have been using ipa user-add and ipa group-add and as a result, if I do a ldap search, I don't find any values for krbPwdPolicyReference: and krbPrincipalName. Is there something I am doing wrong here.

[admin@ipa ec2-user]$ ldapsearch -x  -W "uid=jsmith"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=jsmith
# requesting: ALL
#
# jsmith, users, compat, arunak.com
dn: uid=jsmith,cn=users,cn=compat,dc=example,dc=com
cn: James Smith
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
ipaAnchorUUID:: OklQQTphcnVuYWsuY29tOmVhMzk5OGEwLTY2NDAtMTFlNi05NTExLTEyNzY0N2
 ZhZThlOQ==
gidNumber: 443400011
gecos: James Smith
uidNumber: 443400011
loginShell: /bin/sh
homeDirectory: /home/jsmith
uid: jsmith
# jsmith, users, accounts, example.com
dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
displayName: James Smith
uid: tutui
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: SA
gecos: James Smith
sn: Smith
homeDirectory: /home/jsmith
givenName: James
cn: James Smith
uidNumber: 443400011
gidNumber: 443400011
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

@Arun A K I just use the Web Gui that comes with IPA ldap. Keep in mind I am not managing a large user base, but rather just doing small recreations to help customers. I would think the GUI would get cumbersome if you were doing an entire enterprise.

Super Collaborator

Thanks Again!!. I was prototyping, and hence wasn't looking for something at an enterprise level. 🙂

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.