In our application, we are having only LDAP (Single Server) for external authentication. Why do we need a sync of users in Ambari internal database. Can this authentication be done directly on LDAP , without having a copy of user\s in internal database. Example :- While applying security on Zeppelin through Shiro , we just give the details of LDAP server , and it does the authentication. Similarity is there any way we can directly authenticate from LDAP .
As per ambari current design, Ambari By default Ambari uses an internal database as the user store for authentication and authorization. By doing the ldap-sync it allows the LDAP users/groups to get sync with the ambari's internal database which ambari uses for authentication and authorization.
The ldap-sync actually synchronize your LDAP users and groups into the Ambari DB to be able to manage authorization and permissions against those users and groups.
Yes , Ambari syncs up the LDAP user into its internal database .
But the question is , can we authenticate the user directly from LDAP . In this way there would not be any sync of users . Just to add; Ambari users a python script to sync up with LDAP , now if some one tries to alter that script and access to all the attributes of LDAP . Then that might give rise to security breach .
So can you configure the Ambari authorisation directly over LDAP , without sync the user list to internal database.
The following link provides little more about the current ambari design in this regard: https://docs.hortonworks.com/HDPDocuments/Ambari-188.8.131.52/bk_ambari-administration/content/local_and_...
Local users are stored in and authenticate against the Ambari database. LDAP users have basic account information stored in the Ambari database. Unlike Local users, LDAP users authenticate against an external LDAP system. Local groups are stored in the Ambari database. LDAP groups have basic information stored in the Ambari database, including group membership information. Unlike Local groups, LDAP groups are imported and synchronized from an external LDAP system. To use LDAP users and groups with Ambari, you must configure Ambari to authenticate against an external LDAP system. A new Ambari user or group, created either locally or by synchronizing against LDAP, is granted no privileges by default.
Thanks for the clarification .
So what are the properties related to LDAP , that is being stored in Internal Database ?
Is there any architecture diagram illustrating; the use of Internal Database by Ambari along with LDAP ?
Thanks in advance :)