- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Sync ldap problem
- Labels:
-
Apache Ambari
-
Apache Hadoop
-
Security
Created on 04-21-2017 07:23 PM - edited 09-16-2022 04:30 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ad-browser.pngHi all,
I have a very Bizarre situation while running sync-ldap for Ambari The group does exist in the LDAP but I get an exception ! The contents of the groups.txt is hadoop_administrators
# ambari-server sync-ldap --users users.txt --groups groups.txt 21 Apr 2017 13:38:12,563 ERROR [pool-16-thread-6] LdapSyncEventResourceProvider:457 - Caught exception running LDAP sync. org.apache.ambari.server.AmbariException: Couldn't sync LDAP group hadoop_administrators,it doesn't exist at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeLdapGroups(AmbariLdapDataPopulator.java:253) at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:4775) at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:487) at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:445) at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65) at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:257) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Here is my ambari.properties
authentication.ldap.alternateUserSearchEnabled=true authentication.ldap.alternateUserSearchFilter=(&(userPrincipalName={0})(objectClass=person)) authentication.ldap.baseDn=OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=distinguishedName authentication.ldap.groupMembershipAttr=member authentication.ldap.groupNamingAttr=cn authentication.ldap.groupObjectClass=group authentication.ldap.managerDn=cn=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=uk,DC=com authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat authentication.ldap.primaryUrl=mboro:389 authentication.ldap.referral=ignore authentication.ldap.useSSL=false authentication.ldap.userObjectClass=person authentication.ldap.usernameAttribute=sAMAccountName
Attached is a screenshot of my AD explorer
CN=svc-hadoop-ldap,OU=Data Lake,OU=Applications,OU=Administrative,DC=hq,DC=k,DC=grp
I have only 4 users in the LDAP group hadoop_administrators,these users were synced correctly but the process couldn't pull the group.
I appreciate any help.
Created 04-26-2017 12:26 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !
authentication.ldap.baseDn=DC=hq,DC=uk,DC=com authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=organizationalPerson authentication.ldap.groupMembershipAttr=member authentication.ldap.groupNamingAttr=cn authentication.ldap.groupObjectClass=group authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat authentication.ldap.primaryUrl=fake.uk.com:389 authentication.ldap.referral=ignore authentication.ldap.useSSL=false authentication.ldap.userObjectClass=organizationalPerson authentication.ldap.usernameAttribute=sAMAccountName
This pulled out the desired users and group
ambari-server sync-ldap --groups groups.txt Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password:Syncing specified users and groups....Completed LDAP Sync.Summary: memberships: removed = 0 created = 4 users: updated = 0 removed = 0 created = 1 groups: updated = 0 removed = 0 created = 1
Created 04-21-2017 09:58 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Geoffrey Shelton Okot,
Thanks for attaching the screenshot and the configuration snippet. From the Ambari configuration, the LDAP base is set to "OU=Users,OU=Enterprise,DC=hq,DC=uk,DC=com". So all the users and groups will be looked inside this.
From the attached screenshot, it seems like the group 'hadoop_administrators' exist outside 'OU=Users...". Please change the baseDn in Ambari configuration to a common branch from where you can see the users and groups both. That should fix this issue and your group will be found.
In case, a top level baseDn is giving you too many results that you don't want, you can filter them by using the correct searchFilters.
Hope this helps !
Created 04-24-2017 07:19 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry to get back this late I have just had acess again and I have change my baseDn to "DC=hq,DC=uk,DC=com" but that doesn't still pull the desired group.
This is making me mad
Created on 04-02-2020 10:23 PM - edited 04-02-2020 10:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like an OU issue. OU in AD and ranger should be the same for a group or a user.
Created 04-26-2017 12:26 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
My problem has been resolved ! I had to ask the client to install a AD Explorer and figured out the correct settings and not only changed the baseDn all the group and user attributes !
authentication.ldap.baseDn=DC=hq,DC=uk,DC=com authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=organizationalPerson authentication.ldap.groupMembershipAttr=member authentication.ldap.groupNamingAttr=cn authentication.ldap.groupObjectClass=group authentication.ldap.managerDn=cn=svc-hadoop-ldap,ou=Data Lake,ou=Applications,ou=Administrative,dc=hq,dc=uk,dc=com authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat authentication.ldap.primaryUrl=fake.uk.com:389 authentication.ldap.referral=ignore authentication.ldap.useSSL=false authentication.ldap.userObjectClass=organizationalPerson authentication.ldap.usernameAttribute=sAMAccountName
This pulled out the desired users and group
ambari-server sync-ldap --groups groups.txt Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password:Syncing specified users and groups....Completed LDAP Sync.Summary: memberships: removed = 0 created = 4 users: updated = 0 removed = 0 created = 1 groups: updated = 0 removed = 0 created = 1