Here is part of my ambari.properties after running the ambari-server setup-ldap. My 4 users who are in hadoop_administrators get created but NOT the group. I have tried different group related parameters in vain. What could be the problem here?
This is part of my Ambari.properties some change made for security reasons
authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=group authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=organizationalPerson authentication.ldap.groupMembershipAttr=memberOf authentication.ldap.groupNamingAttr=CN=hadoop_administrators,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=group authentication.ldap.groupObjectClass=group authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=group authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat authentication.ldap.primaryUrl=fake.group:389 authentication.ldap.referral=ignore authentication.ldap.useSSL=false authentication.ldap.userObjectClass=user authentication.ldap.usernameAttribute=sAMAccountName
# ambari-server sync-ldap --users users.txt Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing specified users and groups.. Completed LDAP Sync. Summary: memberships: removed = 0 created = 0 users: updated = 0 removed = 0 created = 4 groups: updated = 0 removed = 0 created = 0 Ambari Server 'sync-ldap' completed successfully.
# ambari-server sync-ldap --groups groups.txt Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing specified users and groups.. ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. Couldn't sync LDAP group hadoop_administrator, it doesn't exist
The group hadoop_administrator exists in the LDAP consisting of the 4 users imported earlier . What am I doing wrong ?
Below is the proof there is no blank after the group name ! What the parameters to use to import a single group and what is the ldapsearch string on linux to validate the return of this group?
The value for the property "authentication.ldap.groupNamingAttr" in your config does not look right. I have the below config and it works fine for me:
I changed the authentication.ldap.groupNamingAttr but I get the same error
ambari-server sync-ldap --groups groups.txt Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync.Couldn't sync LDAP group hadoop_administrator,it doesn't exist
My suggestion was based on your ambari properties in which the baseDN is set to "OU=Users,OU=Enterprise,DC=hq,DC=group". Please remove the "OU" part from your baseDN as your users and groups are in different OUs (again, based on your ambari properties).
You probably found your way past this by now. 🙂
I ran into this problem today and the issue ended up being the "Group name attribute" was not set correctly.
I was able to solve it by using ldapsearch to query for a group from the Active Directory server and then read how it listed its values. For example, this search will return all groups that exist within the example.com AD:
ldapsearch -o ldif-wrap=no -LLL -D firstname.lastname@example.org -W -h <ldap_ip_address> -p 389 '(objectClass=group)' -b "DC=example,DC=com"
Here is what a single response from the above search looks like (minus the unnecessary bits):
dn: CN=my_group,OU=Groups,DC=example,DC=com objectClass: top objectClass: group cn: my_group member: CN=user3,OU=Users,DC=example,DC=com member: CN=user2,OU=Users,DC=example,DC=com member: CN=user1,OU=Users,DC=example,DC=com distinguishedName: CN=my_group,OU=Groups,DC=example,DC=com name: my_group objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
Reviewing this ldapsearch response, you can figure out what your entries should be for ldap-sync in Ambari
Notice the group's name attribute is "cn" and that group member attribute is "member".
This is what solved it for me anyway...