Support Questions

Find answers, ask questions, and share your expertise

LDAP File Sync issue

avatar
Rising Star

Hi,

I'm using HDP 2.4. I'm preparing nifi user authentication with ldap. When i try to sync ldap it shows below error.

[root@sandbox ~]ambari-server sync-ldap --users /root/users.txt Using python /usr/bin/python2 Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. localhost:33389; nested exception is javax.naming.CommunicationException: localhost:33389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

ldap Setup has been done by ldap-setup.txt.

My user.txt file contains:

varma/varma

pls tell me how to resolve this issue? and what is the value has to be given for primary url and base dn value while ambari-ldap setup?

1 ACCEPTED SOLUTION

avatar
Super Collaborator

Hi @Narasimma varman

After reading your message again it looks like you're trying to follow https://community.hortonworks.com/articles/7341/nifi-user-authentication-with-ldap.html which at a close look is using the Demo LDAP as part of Knox.

The Knox Demo LDAP listens on port 33389 however it's not started automatically when you start Knox.

Please make sure you go to Knox in Ambari and select Start Demo LDAP from the Service Actions as per the screenshot from the link above: https://community.hortonworks.com/storage/attachments/956-1.jpg

You can verify if the Demo LDAP has started and listening on port 33389 by running:

netstat -tnlp|grep 33389

If you see a process listening then you can configure ambari-server setup-ldap with the following options (use admin-password when asked for the Manager password):

# ambari-server setup-ldap
Using python  /usr/bin/python
Setting up LDAP properties...
Primary URL* {host:port} (localhost:33389): localhost:33389
Secondary URL {host:port} : 
Use SSL* [true/false] (false): 
User object class* (person): person
User name attribute* (uid): uid
Group object class* (groupofnames): groupofnames
Group name attribute* (cn): cn
Group member attribute* (member): member
Distinguished name attribute* (dn): dn
Base DN* (dc=hadoop,dc=apache,dc=org): dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] (follow): 
Bind anonymously* [true/false] (false): false
Manager DN* (uid=admin,ou=people,dc=hadoop,dc=apache,dc=org): uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* : 
Re-enter password: 
====================
Review Settings
====================
authentication.ldap.managerDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.

You might also need to turn off pagination as the Knox LDAP doesn't support it:

echo "authentication.ldap.pagination.enabled=false" >> /etc/ambari-server/conf/ambari.properties

Now, don't forget to restart Ambari Server and be careful that after running ambari-server sync-ldap --all, the admin user password will change to admin-password

Other users can be found by running this:

cat /etc/knox/conf/users.ldif|egrep "^uid|^userPassword"

And you can add new users by changing Advanced users-ldif under the Knox Config in Ambari.

Good luck!

View solution in original post

9 REPLIES 9

avatar
@Narasimma varman

1] From the attached ldap-setup.tx, looks like the port configured is 389 however the logs say's 33389, please make sure ldap server is installed on localhost.

2] BaseDN is a "valid" path in LDAP server from where users who login/sync to ambari server are search for. Below link gives a reference value however this will change per your setup.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_Ambari_Security_Guide/content/_setting_u...

3] manager DN can any valid user/path in LDAP server, again the link shared above is for reference only, value will change as per your setup.

avatar
Rising Star

I tried both 389,636 ports as per configured in ranger. But still this naming exeception with connection refused error. how to check ldap running or not on these port number?

avatar
Rising Star

Thanks for your response Santhosh B Gowda

avatar
Super Collaborator

Hi @Narasimma varman

After running ambari-server setup-ldap did you restart the Ambari Server?

The localhost:33389 error means Ambari Server hasn't been restarted and it's using the default configuration.

avatar
Rising Star

yes, I restart Ambari Server after running ambari-server setup-ldap

avatar
Super Collaborator

Hi @Narasimma varman

After reading your message again it looks like you're trying to follow https://community.hortonworks.com/articles/7341/nifi-user-authentication-with-ldap.html which at a close look is using the Demo LDAP as part of Knox.

The Knox Demo LDAP listens on port 33389 however it's not started automatically when you start Knox.

Please make sure you go to Knox in Ambari and select Start Demo LDAP from the Service Actions as per the screenshot from the link above: https://community.hortonworks.com/storage/attachments/956-1.jpg

You can verify if the Demo LDAP has started and listening on port 33389 by running:

netstat -tnlp|grep 33389

If you see a process listening then you can configure ambari-server setup-ldap with the following options (use admin-password when asked for the Manager password):

# ambari-server setup-ldap
Using python  /usr/bin/python
Setting up LDAP properties...
Primary URL* {host:port} (localhost:33389): localhost:33389
Secondary URL {host:port} : 
Use SSL* [true/false] (false): 
User object class* (person): person
User name attribute* (uid): uid
Group object class* (groupofnames): groupofnames
Group name attribute* (cn): cn
Group member attribute* (member): member
Distinguished name attribute* (dn): dn
Base DN* (dc=hadoop,dc=apache,dc=org): dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] (follow): 
Bind anonymously* [true/false] (false): false
Manager DN* (uid=admin,ou=people,dc=hadoop,dc=apache,dc=org): uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* : 
Re-enter password: 
====================
Review Settings
====================
authentication.ldap.managerDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
Ambari Server 'setup-ldap' completed successfully.

You might also need to turn off pagination as the Knox LDAP doesn't support it:

echo "authentication.ldap.pagination.enabled=false" >> /etc/ambari-server/conf/ambari.properties

Now, don't forget to restart Ambari Server and be careful that after running ambari-server sync-ldap --all, the admin user password will change to admin-password

Other users can be found by running this:

cat /etc/knox/conf/users.ldif|egrep "^uid|^userPassword"

And you can add new users by changing Advanced users-ldif under the Knox Config in Ambari.

Good luck!

avatar
Rising Star

I follow all your setups but still I am getting Authentication exception that I mentioned below

ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=admin,ou=people,dc=hadoop,dc=apache,dc=org]

avatar
Rising Star

Thanks for your response Alexandru Anghe,

Finally, I successfully login Nifi with LDAP users

avatar
Super Collaborator

That's great to hear @Narasimma varman !

Can you accept the answer please so we know this issue / thread is closed?