Hi Experts,
I am trying to integrate A/D 2012 Server with Ambari 2.1.2. HDP version 2.3.
I've tried various permutation combinations with the properties but still I am not successful in integrating the AD with Ambari. I could successfully integrate AD with Ranger and Knox trying to use the properties in the similar lines.
Active directory domain controller name is : TEST.COM, AD is running on 10.0.2.10
One of the valid users in AD is "Darpan Patel" and has the principal : darpan@TEST.COM and all the users are in "Users" container.
We are running Ambari as a root user.
Here are the properties I am setting for Ambari - AD integration from /etc/ambari-server/conf/ambari.properties
api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
authentication.ldap.groupMembershipAttr=uid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
# also tried with
# CN=users,DC=test,DC=com
# CN=darpan,DC=test,DC=com
# CN=darpan@TEST.COM,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=10.0.2.10:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=10.0.2.10:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName
Here is the list of sequence what I am trying to do:
- $ ambari-server setup-ldap
- Enter the above properties
- Restart the ambari server
- $ambari-server sync-ldap --all
- Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, darpan@TEST.COM
- In all the cases I see :
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
7) Log shows :
18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.
org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
I thought that password could be wrong for the AD user but with the same ad user I am able to issue a TGT.
i.e. for the user in ambari properties : authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
I am able to get a ticket : kinit darpan@TEST.COM.
------------------
Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin')
To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example :
ambari=> select * from ambari.users;
user_id | principal_id | ldap_user | user_name | create_time | active |
--------+--------------+-----------+---------------+----------------------------+------
12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 |
3 | 6 |1 | darpan | 2015-12-17 17:49:05.699 |1 |
13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 |
4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 |
14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 |
I also tried logging in to ambari web console using darpan, darpan@TEST.COM, admin/admin but it does not work!!
Did any one face similar issue ? Or can anyone suggest work around?
Regards,
DP
