Support Questions

Find answers, ask questions, and share your expertise

ambari-server sync-ldap: Exiting with exit code 1

avatar
Expert Contributor

Hello,

I have created Hortonworks Data cloud cluster on AWS, with one master node and one worker node. on master node I have configured the openLDAP server. Now, I am trying to sync openLDAP users with Ambari.

To sync the openLDAP user with Ambari execute the following command:

ambari-server sync-ldap --users users.txt

user.txt contains the name of the user to sync, seprated by comma.

After executing above command it prompts for ambari login. after I enter credential for ambari server it throws following error:

ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

How can I resolve this error ?

Thank You.

1 ACCEPTED SOLUTION

avatar
Expert Contributor
@Geoffrey Shelton Okot

while configuring ambari by running ambari-server setup-ldap, set the value of Bind anonymously* = true. Now, I can see all the LDAP users in Ambari.

Thank You.

View solution in original post

13 REPLIES 13

avatar
Master Mentor

@heta desai

The issue is caused by the invalid credentials Ambari/LDAP Admin [user&passwords]

Note

To perform this operation, your Ambari Server must be running.

  • When prompted, you must provide credentials for an Ambari Admin.
  • When syncing ldap, Local user accounts with matching username will switch to LDAP type, which means their authentication will be against the external LDAP and not against the Local Ambari user store.

Hope that helps

avatar
Expert Contributor

@Geoffrey Shelton Okot I am using the same credential to login the ambari UI and it works perfect. But when I am using them with the ambari-server sync-ldap command it throws an error.

avatar
Master Mentor

@heta desai

That's correct because you are trying to sync LDAP user but giving Ambari admin password hence "Invalid credentials" ,here you need your LDAP admin user and password !!!

You will first need to generate the LDAP config file by running

Step 1

ambari-server setup-ldap

It will prompt you for various parameter's like LDAP admin user and password and LDAP host FQDN and port

Step 2

Then the below command actually sync's

ambari-server sync-ldap [option]

The options can be

  • --existing
  • --all
  • --users users.txt --groups groups.txt

See reference

Configuring Ambari for LDAP or Active Directory Authentication

Hope that helps

avatar
Expert Contributor

@Geoffrey Shelton Okot

I have already configured LDAP using ambari-server setup-ldap. when I execute the ambari-server sync-ldap --users user.txt it prompts for ambari credentials not LDAP. when I execute ambari-server sync-ldap --existing, I entered the same ambari credentials, and it worked fine. You can check in below attached image.

72705-ldap.png

avatar
Master Mentor

@heta desai

Sorry maybe misunderstood you,I didn't see the creenshot.

avatar
Expert Contributor

@Geoffrey Shelton Okot

sorry my bad. I updated comment, you can check.

avatar
Master Mentor

@heta desai

From the above, your LDAP config pulls no data (users/groups) from the server so that means you have a problem with you ldapsearch function

What entries were added to your /etc/ambari-server/conf/ambari.properties can you compare it with the backup if you took one. such as

authentication.ldap.baseDn=
authentication.ldap.managerDn=
authentication.ldap.primaryUrl=
authentication.ldap.bindAnonymously=
authentication.ldap.dnAttribute=
authentication.ldap.groupMembershipAttr=
authentication.ldap.groupNamingAttr=
authentication.ldap.groupObjectClass=
authentication.ldap.useSSL=
authentication.ldap.userObjectClass=
authentication.ldap.usernameAttribute=

These are AD-related but should be similar

avatar
Expert Contributor

@Geoffrey Shelton Okot

following are the entries in ambari.properties:

authentication.ldap.baseDn=dc=hadoop,dc=com 
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=gidNumber
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixGroup
authentication.ldap.managerDn=cn=Manager,dc=hadoop,dc=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=ip-00-0-00-000.ec2.internal:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=inetOrgPerson authentication.ldap.usernameAttribute=uid

avatar
Master Mentor

@heta desai

Your sync process failed!

If you do not know the root entry of the LDAP server you are connecting to, you can query a special "meta" entry outside of the normal LDAP DIT for information about what DIT root entries it knows about

 ldapsearch -H ldap://server_domain_or_IP -x -LLL -s base -b "" namingContexts 

The admin entry typically uses the simpleSecurityObject objectClass in order to gain the ability to set a password in the entry. You can use this to search for entry with this class:

ldapsearch -H ldap://server_domain_or_IP -x -LLL -b "dc=example,dc=com" "(objectClass=simpleSecurityObject)" dn 

This will give you a list of the entries that use this class. Usually there is only one

Performing the Bind

Once you have an entry and password, you can perform a simple bind during your request to authenticate yourself to the LDAP server.

ldapsearch -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W 

You should get the same result as our anonymous bind, indicating that our credentials were accepted.

Rerun the Ambari ldap setup

Use value obtained from above

ambari-server setup-ldap 

You should have users and groups now pulled from the LDAP

Then run ldap sync

ambari-server sync-ldap --existing 

Your users should now be visible in Ambari and if you enabled ranger usersync then your user should be available in Ranger too !!!