Support Questions
Find answers, ask questions, and share your expertise

LDAP Group sync error

Mentor

Hi all,

Here is part of my ambari.properties after running the ambari-server setup-ldap. My 4 users who are in hadoop_administrators get created but NOT the group. I have tried different group related parameters in vain. What could be the problem here?

This is part of my Ambari.properties some change made for security reasons

authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=group 
authentication.ldap.bindAnonymously=false 
authentication.ldap.dnAttribute=organizationalPerson 
authentication.ldap.groupMembershipAttr=memberOf
authentication.ldap.groupNamingAttr=CN=hadoop_administrators,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=group 
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=group authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.group:389 
authentication.ldap.referral=ignore 
authentication.ldap.useSSL=false 
authentication.ldap.userObjectClass=user 
authentication.ldap.usernameAttribute=sAMAccountName 

User sync

# ambari-server sync-ldap --users users.txt 
Using python  /usr/bin/python 
Syncing with LDAP... 
Enter Ambari Admin login: admin 
Enter Ambari Admin password: 
Syncing specified users and groups.. 
Completed LDAP Sync. 
Summary:   
memberships:     
removed = 0     
created = 0   
users:
updated = 0     
removed = 0     
created = 4   
groups:     
updated = 0     
removed = 0     
created = 0 
Ambari Server 'sync-ldap' completed successfully. 

Group sync

 # ambari-server sync-ldap  --groups groups.txt 
Using python  /usr/bin/python 
Syncing with LDAP... 
Enter Ambari Admin login: admin 
Enter Ambari Admin password: 
Syncing specified users and groups..
ERROR: Exiting with exit code 1. 
REASON: Caught exception running LDAP sync. Couldn't sync LDAP group hadoop_administrator, it doesn't exist

The group hadoop_administrator exists in the LDAP consisting of the 4 users imported earlier . What am I doing wrong ?

9 REPLIES 9

Mentor

@Artem Ervits

Can check why my posting needs a validation from the moderator? I need some help on this as quickly as possible .

Cheers

Contributor

If you are trying to sync just a single group, make sure there are no spaces at the end of the group name in groups.txt

Mentor

@Ekantheshwara Basappa

Below is the proof there is no blank after the group name ! What the parameters to use to import a single group and what is the ldapsearch string on linux to validate the return of this group?


groups.png

Contributor

The value for the property "authentication.ldap.groupNamingAttr" in your config does not look right. I have the below config and it works fine for me:

authentication.ldap.groupNamingAttr=cn

Mentor

@Ekantheshwara Basappa

I changed the authentication.ldap.groupNamingAttr but I get the same error

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync.Couldn't sync LDAP group hadoop_administrator,it doesn't exist

Contributor

Please set the baseDn to "DC=hq,DC=group" in your ambari.properties and give it a try.

Mentor

@Ekantheshwara Basappa

That BaseDn you have suggested is an example in the hortonworks template ! I am sure it can't work as it doesn't map to my domain setup.

Contributor

My suggestion was based on your ambari properties in which the baseDN is set to "OU=Users,OU=Enterprise,DC=hq,DC=group". Please remove the "OU" part from your baseDN as your users and groups are in different OUs (again, based on your ambari properties).

New Contributor

@Ekantheshwara Basappa

You probably found your way past this by now. 🙂

I ran into this problem today and the issue ended up being the "Group name attribute" was not set correctly.

I was able to solve it by using ldapsearch to query for a group from the Active Directory server and then read how it listed its values. For example, this search will return all groups that exist within the example.com AD:

ldapsearch -o ldif-wrap=no -LLL -D any_user@example.com -W -h <ldap_ip_address> -p 389 '(objectClass=group)' -b "DC=example,DC=com"

Here is what a single response from the above search looks like (minus the unnecessary bits):

dn: CN=my_group,OU=Groups,DC=example,DC=com
objectClass: top
objectClass: group
cn: my_group
member: CN=user3,OU=Users,DC=example,DC=com
member: CN=user2,OU=Users,DC=example,DC=com
member: CN=user1,OU=Users,DC=example,DC=com
distinguishedName: CN=my_group,OU=Groups,DC=example,DC=com
name: my_group
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com

Reviewing this ldapsearch response, you can figure out what your entries should be for ldap-sync in Ambari

Notice the group's name attribute is "cn" and that group member attribute is "member".

This is what solved it for me anyway...

; ;