Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

ambari-server sync-ldap no longer working

avatar
Explorer

I was able to sync LDAP at one point with Ambari. I'm not sure exactly when it broke. The users were synced before it broke all work fine and show up in Ambari as being Type: LDAP. When I try to run ambari-server sync-ldap with either the --existing option or --groups I get the same output complaining about the hostname. I have verified that hostname -f shows the correct FQDN and it matches what is output in the results of the command below.

ambari-server sync-ldap --existing

Using python /usr/bin/python

Syncing with LDAP...

Enter Ambari Admin login: adminusername

Enter Ambari Admin password:

Syncing existing.ERROR: Exiting with exit code 1.

REASON: Sync event creation failed. Error details: hostname '127.0.0.1' doesn't match u'hiddenhostname.domain.com'

1 ACCEPTED SOLUTION

avatar
Rising Star

So, the main reason we see this error is because the default behaviour for ssl cert verification have changed in python. If you take a look in /etc/python/cert-verification.cfg, you will see that in python-libs-2.7.5-34, the “verify=disable” value was default. But after upgrade of that package to python-libs-2.7.5-58, the value is now “verify=platform_default”. And at least in our system, that means enabled. After changing this back to “verify=disable”, the synchronization works again without having to do the workaround I wrote about earlier. I have verified this on a non-upgraded system by changing it to enabled and that also results in errors for the user synchronization

This error also affect LLAP if you are running that. After upgrade, LLAP wont start because of cert verifications. You will get a “[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)” error message. Changing the verify parameter described above also fixes that problem.

View solution in original post

7 REPLIES 7

avatar
Master Mentor

@Aaron Norton

What are the host entries in your ambari server /etc/hosts ?
Is the LDAP server entry correct ?

Please revert

avatar
Explorer

my /etc/hosts file only contains the 2 standard localhost lines. I have verified that both forward and revers DNS works correctly for the Ambari server and the LDAP server. I did try adding both of them into the /etc/hosts file in the format of "IP FQDN shortname" and that did not seem to make any difference at all. I looked at the ambari.properties file and it has the correct LDAP hostname in it.

avatar
Rising Star

I just got the exact same error. And the problem came after a “yum update” on a Redhat 7 server. I tested the synchronization just before I upgraded the OS and it worked fine. After the upgrade, I get the same error. I’ll post an answer once I find a solution to the problem

avatar
Rising Star

@Aaron Norton

One way you can work around this problem is to change "SERVER_API_HOST = '127.0.0.1'" in /usr/lib/python2.6/site-packages/ambari_server/serverUtils.py so it points to your server with the full hostname. That will work around the problem with SSL that we see.

avatar
Explorer

Yes that workaround does work. Will wait for a fix before I Accept the solution.

avatar
Rising Star

So, the main reason we see this error is because the default behaviour for ssl cert verification have changed in python. If you take a look in /etc/python/cert-verification.cfg, you will see that in python-libs-2.7.5-34, the “verify=disable” value was default. But after upgrade of that package to python-libs-2.7.5-58, the value is now “verify=platform_default”. And at least in our system, that means enabled. After changing this back to “verify=disable”, the synchronization works again without having to do the workaround I wrote about earlier. I have verified this on a non-upgraded system by changing it to enabled and that also results in errors for the user synchronization

This error also affect LLAP if you are running that. After upgrade, LLAP wont start because of cert verifications. You will get a “[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)” error message. Changing the verify parameter described above also fixes that problem.

avatar
Explorer

Thanks for the detailed explanation Berry!