Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Sync AD users using FreeIPA LDAP with a trust on AD


I have a kerberorized HDP 3.1 cluster setup with a FreeIPA server.

I already have the trust between the Active Directory and the FreeIPA server.

Now, I would like to add the member of the group created inside the Active Directory server which I have mapped to the FreeIPA server.

I created the Active Directory Group called "FreeIPA-Member" where i set some users: hdp-test and toto.

I mapped the FreeIPA-Member group from the Active Directory to the FreeIPA server using the following commands:

ipa group-add --desc='AD users external for FreeIPA-Members' ad_users_external_freeipa --external

Created the POSIX group in FreeIPA ad_sshaccess_users

ipa group-add -–desc='AD SSH access users' ad_sshaccess_users
ipa group-add-member ad_users_external_freeipa --external “Ad\FreeIPA-Members”
ipa group-add-member ad_sshaccess_users --groups ad_users_external_freeipa

Now I have the ad_sshaccess_users group which is mapped to the external Active Directory group which contains my Active Directory users that I want to use to log-in to the Ambari Web UI.

I also setup the LDAP part on the Ambari Server

ambari-server setup-ldap
Using python  /usr/bin/python
Enter Ambari Admin login: admin
Enter Ambari Admin password:

Fetching LDAP configuration from DB.
Primary LDAP Host (ipaserverhostname.ipadomain):
Primary LDAP Port (636):
Secondary LDAP Host :
Secondary LDAP Port :
Use SSL [true/false] (True):
Disable endpoint identification during SSL handshake [true/false] (False):
Do you want to provide custom TrustStore for Ambari [y/n] (n)?
User object class (posixAccount):
User ID attribute (uid):
Group object class (posixAccount):
Group name attribute (cn):
Group member attribute (member):
Distinguished name attribute (dn):
Search Base (cn=groups,cn=accounts,dc=ipa,dc=domain,dc=name,dc=com):
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (False):
Bind DN (uid=hadoopadmin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=name,dc=com):
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false] (True):
Results from LDAP are paginated when requested [true/false] (False):
ambari-server restart

I followed the HDP documentation to synchronize users and groups with the Ambari Server

I try adding the ad_sshaccess_users group in a text file: echo "ad_sshaccess_users" > /tmp/groups.txt and then executing the sync-ldap command with the Ambari server:

ambari-server sync-ldap --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin --groups=/tmp/groups.txt

Getting the following errors, which means that ambari server can't find the group in the LDAP DB...

Using python  /usr/bin/python
Syncing with LDAP...

Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. Couldn't sync LDAP group ad_sshaccess_users, it doesn't exist

I can kinit with a user from the LDAP

kinit hdp-testAD.DOMAIN
Password for hdp-test@AD.DOMAIN:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdp-test@AD.DOMAIN

Valid starting       Expires              Service principal
04/17/2019 15:04:28  04/18/2019 01:04:28  krbtgt/AD.DOMAIN@AD.DOMAIN
	renew until 04/24/2019 15:04:25

If you have any solutions or any suggestions, do not hesitate

Thanks in advance


It seems like Ambari is not able to retrieve the group named "ad_sshaccess_users" from the LDAP directory. Try using the OpenLDAP ldapsearch utility to see if that group is found:

ldapsearch -ZZ -h <FQDN IPA server> -D <manager DN> -W -b <search base DN> '(cn=ad_sshaccess_users)'

Ideally the following data is the same as what you entered in during setup-ldap:

  • <FQDN IPA server>
  • <manager DN> (and password when prompted)
  • <search base DN>

This may fail if the IPA server's SSL cert is not trusted, so you can edit /etc/openldap/ldap.conf and add the following line to disable certificate validation:


If the entry is found, make sure the returned LDIF matches the properties you set during setup-ldap:

  • object class
  • group name attribute


I manage to retrieve the group named "ad_sshaccess_users" from the LDAP directory to the Ambari. But there is "0 member" inside this group. But in the Active Directory I created 2 users under this group mapped in the FreeIPA.

Do you know if Ambari can retrieve AD users through a FreeIPA server which is doing the LDAP part? I'm not sure about that.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.