Support Questions

Find answers, ask questions, and share your expertise

IPA ldap Ambari Sync

avatar
Super Collaborator

Hi All, I am trying to sync my Directory users from IPA server to Ambari. I have been using these instructions

However, I am not certain what need to be the value of Distinguished name attribute.

Provided I have the following structure

uid=u1,ou=ou11,ou=o1,dc=example,dc=com 

uid=u2,ou=ou12,ou=o1,dc=example,dc=com 

uid=u3,ou=ou21,ou=02,dc=example,dc=com 

uid=u4,ou=ou22,ou=02,dc=example,dc=com
1 ACCEPTED SOLUTION

avatar

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

View solution in original post

11 REPLIES 11

avatar

Here are the default IPA Values (If you used a out of the box no changes IPA) that work for me:

authentication.ldap.dnAttribute=dn

authentication.ldap.groupMembershipAttr= memberUid

authentication.ldap.groupObjectClass=posixGroup

authentication.ldap.userObjectClass=mepManagedEntry

authentication.ldap.usernameAttribute=cn

avatar
Super Collaborator

Thanks @Orlando Teixeira. Could you share me a sample ldif file that you used for ldapadd. I was able to sync the user bases using the default specified above. I did not see a dn attribute to any of my user/group using jxplore and hence wanted to know how relevant these default values are. After the sync, the admin user in IPA which is defaulted to admin messed up my Ambari admin user, which is also by default admin.

avatar
Expert Contributor

@Arun A K If you have existing admin user in your AD/LDAP, it will be override the existing Ambari admin user. This is known behaviour.

avatar
Super Collaborator

@Krishna Pandey. In anticipation of this, I had created an ambari_admin before the sync and granted the admin role to this new user. However, after sync, I am not able to see the user management option in ambari after logging in as ambari_admin. Is this some configuration issue at my end?

avatar
Expert Contributor

The earlier created local Ambari "ambari_admin" user should exist even after ldap sync. Please select "All" as Type in Manage Ambari -> User+Group Management section, your user should show up there.

avatar
Expert Contributor

Try Distinguished name attribute* (dn): dn

avatar
Super Collaborator

Thanks @Krishna Pandey. Was able to use the default ones to Sync up the users. However I was not sure where there attributes are attached to my users/groups since I could not see anything called dn using jxplorer.

avatar

@Arun A K, first let's fix your admin. Simply go into the database and do:

update users set ldap_user = 0 where user_name = 'admin';

then reset the password as follows:

https://community.hortonworks.com/questions/449/how-to-reset-ambari-admin-password.html

Here is the output of an ldapsearch on a user in my IPA, to show you where dn is:

# orlando, users, accounts, ipa.example.com
dn: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
displayName: Orlando Teixeira
cn: Orlando Teixeira
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: Teixeira
gecos: Orlando Teixeira
homeDirectory: /home/orlando
krbPwdPolicyReference: cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,
 dc=example,dc=com
mail: orlando@ipa.example.com
krbPrincipalName: orlando@IPA.EXAMPLE.COM
givenName: Orlando
uid: orlando
initials: OT
ipaUniqueID: 3b9308de-895c-11e5-a188-0800274e577d
uidNumber: 1690200001
gidNumber: 1690200001
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=test2,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
mepManagedEntry: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
krbLoginFailedCount: 6
krbLastFailedAuth: 20160601185034Z


# orlando, groups, accounts, ipa.example.com
dn: cn=orlando,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: orlando
gidNumber: 1690200001
description: User private group for orlando
mepManagedBy: uid=orlando,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
ipaUniqueID: 3b9b8388-895c-11e5-a188-0800274e577d

avatar
Super Collaborator

Thanks @Orlando Teixeira. One last question - what tool do you use to add users to the directory? I have been using ipa user-add and ipa group-add and as a result, if I do a ldap search, I don't find any values for krbPwdPolicyReference: and krbPrincipalName. Is there something I am doing wrong here.

[admin@ipa ec2-user]$ ldapsearch -x  -W "uid=jsmith"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=jsmith
# requesting: ALL
#
# jsmith, users, compat, arunak.com
dn: uid=jsmith,cn=users,cn=compat,dc=example,dc=com
cn: James Smith
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
ipaAnchorUUID:: OklQQTphcnVuYWsuY29tOmVhMzk5OGEwLTY2NDAtMTFlNi05NTExLTEyNzY0N2
 ZhZThlOQ==
gidNumber: 443400011
gecos: James Smith
uidNumber: 443400011
loginShell: /bin/sh
homeDirectory: /home/jsmith
uid: jsmith
# jsmith, users, accounts, example.com
dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
displayName: James Smith
uid: tutui
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: SA
gecos: James Smith
sn: Smith
homeDirectory: /home/jsmith
givenName: James
cn: James Smith
uidNumber: 443400011
gidNumber: 443400011
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2