Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

RHEL Stand Alone IPA Ambari LDAP Integration

Solved Go to solution
Highlighted

RHEL Stand Alone IPA Ambari LDAP Integration

New Contributor

Greetings,

We're having issues getting Ambari LDAP hooked into an existing RHEL IdM.

[25/Apr/2016:17:38:46 +0000] conn=103047 fd=111 slot=111 connection from 10.72.142.71 to 10.72.142.30 [25/Apr/2016:17:38:46 +0000] conn=103047 op=0 BIND dn="" method=128 version=3 [25/Apr/2016:17:38:46 +0000] conn=103047 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [25/Apr/2016:17:38:46 +0000] conn=103047 op=1 SRCH base="dc=ace,dc=mydomain,dc=com" scope=2 filter="(uid=idmadmin)" attrs=ALL [25/Apr/2016:17:38:46 +0000] conn=103047 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [25/Apr/2016:17:38:46 +0000] conn=103047 op=2 UNBIND [25/Apr/2016:17:38:46 +0000] conn=103047 op=2 fd=111 closed - U1

I opened a ticket with Redhat and they confirmed these logs indicate our client's (Ambari) query, is reaching the IdM, but for some reason the session is not moving forward after the and is closing. The following is from Ambari logs but does not paint a clear picture for me:

25 Apr 2016 17:38:44,912 WARN [qtp-client-24] ServletHandler:563 - /api/v1/ldap_sync_events org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 2 at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243) at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:793) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:196) at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116) at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90) at org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator.authenticate(AmbariLdapBindAuthenticator.java:53) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61) at org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider.authenticate(AmbariLdapAuthenticationProvider.java:60) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:294) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:209) at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:198) at org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:132) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:745)

Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: RHEL Stand Alone IPA Ambari LDAP Integration

Your BIND dn is empty. I did Ambari sync with Free IPA a few months ago. I created a system account for binding to LDAP using ldapmodify as explained here, and used that for my BIND dn. Also check other properties set during "ambari-server setup-ldap" and make sure they are in sync with the ones set by IPA. You can use "ipa user-find" to inspect the structure of your users. To change some properties in Ambari you can re-run setup-ldap or set properties directly in /etc/ambari-server/conf/ambari.properties and restart ambari-server.

2 REPLIES 2

Re: RHEL Stand Alone IPA Ambari LDAP Integration

Your BIND dn is empty. I did Ambari sync with Free IPA a few months ago. I created a system account for binding to LDAP using ldapmodify as explained here, and used that for my BIND dn. Also check other properties set during "ambari-server setup-ldap" and make sure they are in sync with the ones set by IPA. You can use "ipa user-find" to inspect the structure of your users. To change some properties in Ambari you can re-run setup-ldap or set properties directly in /etc/ambari-server/conf/ambari.properties and restart ambari-server.

Re: RHEL Stand Alone IPA Ambari LDAP Integration

New Contributor

Thanks for your response, @Predrag Minovic. This pointed me in the right direction and I successfully pulled in users/groups.

Don't have an account?
Coming from Hortonworks? Activate your account here