I have a kerberorized HDP 3.1 cluster setup with a FreeIPA server.
I already have the trust between the Active Directory and the FreeIPA server.
Now, I would like to add the member of the group created inside the Active Directory server which I have mapped to the FreeIPA server.
I created the Active Directory Group called "FreeIPA-Member" where i set some users: hdp-test and toto.
I mapped the FreeIPA-Member group from the Active Directory to the FreeIPA server using the following commands:
ipa group-add --desc='AD users external for FreeIPA-Members' ad_users_external_freeipa --external
Created the POSIX group in FreeIPA ad_sshaccess_users
ipa group-add -–desc='AD SSH access users' ad_sshaccess_users
ipa group-add-member ad_users_external_freeipa --external “Ad\FreeIPA-Members”
ipa group-add-member ad_sshaccess_users --groups ad_users_external_freeipa
Now I have the ad_sshaccess_users group which is mapped to the external Active Directory group which contains my Active Directory users that I want to use to log-in to the Ambari Web UI.
I also setup the LDAP part on the Ambari Server
ambari-server setup-ldap Using python /usr/bin/python Enter Ambari Admin login: admin Enter Ambari Admin password: Fetching LDAP configuration from DB. Primary LDAP Host (ipaserverhostname.ipadomain): Primary LDAP Port (636): Secondary LDAP Host : Secondary LDAP Port : Use SSL [true/false] (True): Disable endpoint identification during SSL handshake [true/false] (False): Do you want to provide custom TrustStore for Ambari [y/n] (n)? User object class (posixAccount): User ID attribute (uid): Group object class (posixAccount): Group name attribute (cn): Group member attribute (member): Distinguished name attribute (dn): Search Base (cn=groups,cn=accounts,dc=ipa,dc=domain,dc=name,dc=com): Referral method [follow/ignore] (follow): Bind anonymously [true/false] (False): Bind DN (uid=hadoopadmin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=name,dc=com): Enter Bind DN Password: Confirm Bind DN Password: Handling behavior for username collisions [convert/skip] for LDAP sync (skip): Force lower-case user names [true/false] (True): Results from LDAP are paginated when requested [true/false] (False):
I followed the HDP documentation to synchronize users and groups with the Ambari Server
I try adding the ad_sshaccess_users group in a text file: echo "ad_sshaccess_users" > /tmp/groups.txt and then executing the sync-ldap command with the Ambari server:
ambari-server sync-ldap --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin --groups=/tmp/groups.txt
Getting the following errors, which means that ambari server can't find the group in the LDAP DB...
Using python /usr/bin/python Syncing with LDAP... Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. Couldn't sync LDAP group ad_sshaccess_users, it doesn't exist
I can kinit with a user from the LDAP
kinit hdp-testAD.DOMAIN Password for hdp-test@AD.DOMAIN: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdp-test@AD.DOMAIN Valid starting Expires Service principal 04/17/2019 15:04:28 04/18/2019 01:04:28 krbtgt/AD.DOMAIN@AD.DOMAIN renew until 04/24/2019 15:04:25
If you have any solutions or any suggestions, do not hesitate
Thanks in advance
It seems like Ambari is not able to retrieve the group named "ad_sshaccess_users" from the LDAP directory. Try using the OpenLDAP ldapsearch utility to see if that group is found:
ldapsearch -ZZ -h <FQDN IPA server> -D <manager DN> -W -b <search base DN> '(cn=ad_sshaccess_users)'
Ideally the following data is the same as what you entered in during setup-ldap:
This may fail if the IPA server's SSL cert is not trusted, so you can edit /etc/openldap/ldap.conf and add the following line to disable certificate validation:
If the entry is found, make sure the returned LDIF matches the properties you set during setup-ldap:
I manage to retrieve the group named "ad_sshaccess_users" from the LDAP directory to the Ambari. But there is "0 member" inside this group. But in the Active Directory I created 2 users under this group mapped in the FreeIPA.
Do you know if Ambari can retrieve AD users through a FreeIPA server which is doing the LDAP part? I'm not sure about that.