Support Questions

Find answers, ask questions, and share your expertise

Sync AD users using FreeIPA LDAP with a trust on AD

avatar
Contributor

I have a kerberorized HDP 3.1 cluster setup with a FreeIPA server.

I already have the trust between the Active Directory and the FreeIPA server.

Now, I would like to add the member of the group created inside the Active Directory server which I have mapped to the FreeIPA server.

I created the Active Directory Group called "FreeIPA-Member" where i set some users: hdp-test and toto.

I mapped the FreeIPA-Member group from the Active Directory to the FreeIPA server using the following commands:

ipa group-add --desc='AD users external for FreeIPA-Members' ad_users_external_freeipa --external

Created the POSIX group in FreeIPA ad_sshaccess_users

ipa group-add -–desc='AD SSH access users' ad_sshaccess_users
ipa group-add-member ad_users_external_freeipa --external “Ad\FreeIPA-Members”
ipa group-add-member ad_sshaccess_users --groups ad_users_external_freeipa

Now I have the ad_sshaccess_users group which is mapped to the external Active Directory group which contains my Active Directory users that I want to use to log-in to the Ambari Web UI.

I also setup the LDAP part on the Ambari Server

ambari-server setup-ldap
Using python  /usr/bin/python
Enter Ambari Admin login: admin
Enter Ambari Admin password:

Fetching LDAP configuration from DB.
Primary LDAP Host (ipaserverhostname.ipadomain):
Primary LDAP Port (636):
Secondary LDAP Host :
Secondary LDAP Port :
Use SSL [true/false] (True):
Disable endpoint identification during SSL handshake [true/false] (False):
Do you want to provide custom TrustStore for Ambari [y/n] (n)?
User object class (posixAccount):
User ID attribute (uid):
Group object class (posixAccount):
Group name attribute (cn):
Group member attribute (member):
Distinguished name attribute (dn):
Search Base (cn=groups,cn=accounts,dc=ipa,dc=domain,dc=name,dc=com):
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (False):
Bind DN (uid=hadoopadmin,cn=users,cn=accounts,dc=ipa,dc=domain,dc=name,dc=com):
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false] (True):
Results from LDAP are paginated when requested [true/false] (False):
ambari-server restart

I followed the HDP documentation to synchronize users and groups with the Ambari Server

https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/ambari-authentication-ldap-ad/content/authe...

I try adding the ad_sshaccess_users group in a text file: echo "ad_sshaccess_users" > /tmp/groups.txt and then executing the sync-ldap command with the Ambari server:

ambari-server sync-ldap --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin --groups=/tmp/groups.txt

Getting the following errors, which means that ambari server can't find the group in the LDAP DB...

Using python  /usr/bin/python
Syncing with LDAP...

Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. Couldn't sync LDAP group ad_sshaccess_users, it doesn't exist

I can kinit with a user from the LDAP

kinit hdp-testAD.DOMAIN
Password for hdp-test@AD.DOMAIN:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdp-test@AD.DOMAIN

Valid starting       Expires              Service principal
04/17/2019 15:04:28  04/18/2019 01:04:28  krbtgt/AD.DOMAIN@AD.DOMAIN
	renew until 04/24/2019 15:04:25

If you have any solutions or any suggestions, do not hesitate

Thanks in advance

2 REPLIES 2

avatar

It seems like Ambari is not able to retrieve the group named "ad_sshaccess_users" from the LDAP directory. Try using the OpenLDAP ldapsearch utility to see if that group is found:

ldapsearch -ZZ -h <FQDN IPA server> -D <manager DN> -W -b <search base DN> '(cn=ad_sshaccess_users)'


Ideally the following data is the same as what you entered in during setup-ldap:

  • <FQDN IPA server>
  • <manager DN> (and password when prompted)
  • <search base DN>


This may fail if the IPA server's SSL cert is not trusted, so you can edit /etc/openldap/ldap.conf and add the following line to disable certificate validation:

TLS_REQCERT never


If the entry is found, make sure the returned LDIF matches the properties you set during setup-ldap:

  • object class
  • group name attribute



avatar
Contributor

I manage to retrieve the group named "ad_sshaccess_users" from the LDAP directory to the Ambari. But there is "0 member" inside this group. But in the Active Directory I created 2 users under this group mapped in the FreeIPA.

Do you know if Ambari can retrieve AD users through a FreeIPA server which is doing the LDAP part? I'm not sure about that.