Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Sync ldap problem

avatar
Master Mentor

ad-browser.pngHi all,

I have a very Bizarre situation while running sync-ldap for Ambari The group does exist in the LDAP but I get an exception ! The contents of the groups.txt is hadoop_administrators

# ambari-server sync-ldap --users users.txt --groups groups.txt 21 Apr 2017 13:38:12,563 ERROR [pool-16-thread-6] LdapSyncEventResourceProvider:457 - Caught exception running LDAP sync.
org.apache.ambari.server.AmbariException: Couldn't sync LDAP group hadoop_administrators,it doesn't exist
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeLdapGroups(AmbariLdapDataPopulator.java:253)
at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:4775)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:487)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:445)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:257)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745) 

Here is my ambari.properties

authentication.ldap.alternateUserSearchEnabled=true
authentication.ldap.alternateUserSearchFilter=(&(userPrincipalName={0})(objectClass=person))
authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=distinguishedName
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=uk,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=mboro:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName 

Attached is a screenshot of my AD explorer

CN=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=k,DC=grp 

I have only 4 users in the LDAP group hadoop_administrators,these users were synced correctly but the process couldn't pull the group.

I appreciate any help.

1 ACCEPTED SOLUTION

avatar
Master Mentor

Hi all,

My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !

authentication.ldap.baseDn=DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=organizationalPerson
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.uk.com:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=organizationalPerson
authentication.ldap.usernameAttribute=sAMAccountName

This pulled out the desired users and group

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:Syncing
specified users and groups....Completed
LDAP Sync.Summary: 
memberships: 
removed = 0 
created = 4 
users: 
updated = 0 
removed = 0 
created = 1 
groups: 
updated = 0 
removed = 0 
created = 1

View solution in original post

4 REPLIES 4

avatar
Guru

Hello @Geoffrey Shelton Okot,

Thanks for attaching the screenshot and the configuration snippet. From the Ambari configuration, the LDAP base is set to "OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com". So all the users and groups will be looked inside this.

From the attached screenshot, it seems like the group 'hadoop_administrators' exist outside 'OU=Users...". Please change the baseDn in Ambari configuration to a common branch from where you can see the users and groups both. That should fix this issue and your group will be found.

In case, a top level baseDn is giving you too many results that you don't want, you can filter them by using the correct searchFilters.

Hope this helps !

avatar
Master Mentor

@Vipin Rathor

Sorry to get back this late I have just had acess again and I have change my baseDn to "DC=hq,DC=uk,DC=com" but that doesn't still pull the desired group.

This is making me mad

avatar
Contributor

It looks like an  OU issue. OU in AD and ranger should be the same for a group or a user.

 

avatar
Master Mentor

Hi all,

My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !

authentication.ldap.baseDn=DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=organizationalPerson
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.uk.com:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=organizationalPerson
authentication.ldap.usernameAttribute=sAMAccountName

This pulled out the desired users and group

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:Syncing
specified users and groups....Completed
LDAP Sync.Summary: 
memberships: 
removed = 0 
created = 4 
users: 
updated = 0 
removed = 0 
created = 1 
groups: 
updated = 0 
removed = 0 
created = 1