Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Sync ldap problem

avatar
author-rank Shelton
Master Mentor

Created on ‎04-21-2017 07:23 PM - edited ‎09-16-2022 04:30 AM

ad-browser.pngHi all,

I have a very Bizarre situation while running sync-ldap for Ambari The group does exist in the LDAP but I get an exception ! The contents of the groups.txt is hadoop_administrators 

# ambari-server sync-ldap --users users.txt --groups groups.txt 21 Apr 2017 13:38:12,563 ERROR [pool-16-thread-6] LdapSyncEventResourceProvider:457 - Caught exception running LDAP sync.
org.apache.ambari.server.AmbariException: Couldn't sync LDAP group hadoop_administrators,it doesn't exist
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeLdapGroups(AmbariLdapDataPopulator.java:253)
at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:4775)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:487)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:445)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:257)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Here is my ambari.properties 

authentication.ldap.alternateUserSearchEnabled=true
authentication.ldap.alternateUserSearchFilter=(&(userPrincipalName={0})(objectClass=person))
authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=distinguishedName
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=uk,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=mboro:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

Attached is a screenshot of my AD explorer 

CN=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=k,DC=grp

I have only 4 users in the LDAP group hadoop_administrators,these users were synced correctly but the process couldn't pull the group.

I appreciate any help.

2,980 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎04-26-2017 12:26 PM

Hi all,

My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !

authentication.ldap.baseDn=DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=organizationalPerson
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.uk.com:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=organizationalPerson
authentication.ldap.usernameAttribute=sAMAccountName

This pulled out the desired users and group 

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:Syncing
specified users and groups....Completed
LDAP Sync.Summary: 
memberships: 
removed = 0 
created = 4 
users: 
updated = 0 
removed = 0 
created = 1 
groups: 
updated = 0 
removed = 0 
created = 1

View solution in original post

2,697 Views
0 Kudos
4 REPLIES 4

avatar
author-rank VR46 author-rank
Guru

Created ‎04-21-2017 09:58 PM

Hello @Geoffrey Shelton Okot,

Thanks for attaching the screenshot and the configuration snippet. From the Ambari configuration, the LDAP base is set to "OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com". So all the users and groups will be looked inside this.

From the attached screenshot, it seems like the group 'hadoop_administrators' exist outside 'OU=Users...". Please change the baseDn in Ambari configuration to a common branch from where you can see the users and groups both. That should fix this issue and your group will be found.

In case, a top level baseDn is giving you too many results that you don't want, you can filter them by using the correct searchFilters.

Hope this helps !

2,697 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎04-24-2017 07:19 PM

@Vipin Rathor

Sorry to get back this late I have just had acess again and I have change my baseDn to "DC=hq,DC=uk,DC=com" but that doesn't still pull the desired group.

This is making me mad

2,697 Views
0 Kudos

avatar
author-rank sppandita85BLR
Explorer

Created on ‎04-02-2020 10:23 PM - edited ‎04-02-2020 10:24 PM

It looks like an  OU issue. OU in AD and ranger should be the same for a group or a user.

 

2,550 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎04-26-2017 12:26 PM

Hi all,

My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !

authentication.ldap.baseDn=DC=hq,DC=uk,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=organizationalPerson
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=fake.uk.com:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=organizationalPerson
authentication.ldap.usernameAttribute=sAMAccountName

This pulled out the desired users and group 

ambari-server sync-ldap --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:Syncing
specified users and groups....Completed
LDAP Sync.Summary: 
memberships: 
removed = 0 
created = 4 
users: 
updated = 0 
removed = 0 
created = 1 
groups: 
updated = 0 
removed = 0 
created = 1
2,698 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
Announcing availability of Spark 3.5 on Cloudera Unified Run...
What's New @ Cloudera
Cloudera Operational Database supports Security-Enhanced Lin...
What's New @ Cloudera
Cloudera Operational Database supports creating AWS Graviton...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.15 for Cloudera 7....
View More Announcements