LDAP Group sync error

Shelton · ‎04-18-2017

Hi all,

Here is part of my ambari.properties after running the ambari-server setup-ldap. My 4 users who are in hadoop_administrators get created but NOT the group. I have tried different group related parameters in vain. What could be the problem here?

This is part of my Ambari.properties some change made for security reasons

authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=group 
authentication.ldap.bindAnonymously=false 
authentication.ldap.dnAttribute=organizationalPerson 
authentication.ldap.groupMembershipAttr=memberOf
authentication.ldap.groupNamingAttr=CN=hadoop_administrators,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=group 
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=group authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.group:389 
authentication.ldap.referral=ignore 
authentication.ldap.useSSL=false 
authentication.ldap.userObjectClass=user 
authentication.ldap.usernameAttribute=sAMAccountName

User sync

# ambari-server sync-ldap --users users.txt 
Using python  /usr/bin/python 
Syncing with LDAP... 
Enter Ambari Admin login: admin 
Enter Ambari Admin password: 
Syncing specified users and groups.. 
Completed LDAP Sync. 
Summary:   
memberships:     
removed = 0     
created = 0   
users:
updated = 0     
removed = 0     
created = 4   
groups:     
updated = 0     
removed = 0     
created = 0 
Ambari Server 'sync-ldap' completed successfully.

Group sync

 # ambari-server sync-ldap  --groups groups.txt 
Using python  /usr/bin/python 
Syncing with LDAP... 
Enter Ambari Admin login: admin 
Enter Ambari Admin password: 
Syncing specified users and groups..
ERROR: Exiting with exit code 1. 
REASON: Caught exception running LDAP sync. Couldn't sync LDAP group hadoop_administrator, it doesn't exist

The group hadoop_administrator exists in the LDAP consisting of the 4 users imported earlier . What am I doing wrong ?

Shelton · ‎04-18-2017

@Artem Ervits

Can check why my posting needs a validation from the moderator? I need some help on this as quickly as possible .

Cheers

ekanthb · ‎04-19-2017

If you are trying to sync just a single group, make sure there are no spaces at the end of the group name in groups.txt

Shelton · ‎04-19-2017

@Ekantheshwara Basappa

Below is the proof there is no blank after the group name ! What the parameters to use to import a single group and what is the ldapsearch string on linux to validate the return of this group?

ekanthb · ‎04-19-2017

The value for the property "authentication.ldap.groupNamingAttr" in your config does not look right. I have the below config and it works fine for me:

authentication.ldap.groupNamingAttr=cn

Shelton · ‎04-20-2017

@Ekantheshwara Basappa

I changed the authentication.ldap.groupNamingAttr but I get the same error

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync.Couldn't sync LDAP group hadoop_administrator,it doesn't exist

ekanthb · ‎04-21-2017

Please set the baseDn to "DC=hq,DC=group" in your ambari.properties and give it a try.

Shelton · ‎04-21-2017

@Ekantheshwara Basappa

That BaseDn you have suggested is an example in the hortonworks template ! I am sure it can't work as it doesn't map to my domain setup.

ekanthb · ‎04-21-2017

My suggestion was based on your ambari properties in which the baseDN is set to "OU=Users,OU=Enterprise,DC=hq,DC=group". Please remove the "OU" part from your baseDN as your users and groups are in different OUs (again, based on your ambari properties).

darrell_ross · ‎03-04-2018

@Ekantheshwara Basappa

You probably found your way past this by now. 🙂

I ran into this problem today and the issue ended up being the "Group name attribute" was not set correctly.

I was able to solve it by using ldapsearch to query for a group from the Active Directory server and then read how it listed its values. For example, this search will return all groups that exist within the example.com AD:

ldapsearch -o ldif-wrap=no -LLL -D any_user@example.com -W -h <ldap_ip_address> -p 389 '(objectClass=group)' -b "DC=example,DC=com"

Here is what a single response from the above search looks like (minus the unnecessary bits):

dn: CN=my_group,OU=Groups,DC=example,DC=com
objectClass: top
objectClass: group
cn: my_group
member: CN=user3,OU=Users,DC=example,DC=com
member: CN=user2,OU=Users,DC=example,DC=com
member: CN=user1,OU=Users,DC=example,DC=com
distinguishedName: CN=my_group,OU=Groups,DC=example,DC=com
name: my_group
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

Reviewing this ldapsearch response, you can figure out what your entries should be for ldap-sync in Ambari

Notice the group's name attribute is "cn" and that group member attribute is "member".

This is what solved it for me anyway...